WordPress Plugin Vulnerabilities

Rank Math SEO < 1.0.107.3 - Contributor+ LFI

Description

The plugin does not validate paths in the update_schemas and get_snippet_content functions, which could allow users with a role of contributor and above to perform LFI attacks

Affects Plugins

Plugin icon
seo-by-rank-math
Fixed in 1.0.107.3

References

CVE
CVE-2023-23888

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
2b12083e-a7cf-4634-8f45-015275a096d4

Timeline

Publicly Published
2023-01-30 (about 3 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2026-03-20
Title
Scape - Multipurpose WordPress theme < 1.5.16 - Unauthenticated Arbitrary File Deletion
Published
2015-07-03
Title
Swim Team < 1.45 - Local File Inclusion
Published
2026-04-17
Title
WP Customer Area < 8.3.5 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file
Published
2025-03-21
Title
Export and Import Users and Customers < 2.6.3 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Published
2026-04-16
Title
Groundhogg — CRM, Newsletters, and Marketing Automation < 4.4.1 - Authenticated (Sales Representative+) Arbitrary File Deletion