Rank Math 0.9~1.0.42.1 – Authenticated Missing Access Controls to Disable Competitor Plugins

Description

Missing access controls on the GET requests to deactivate competitors' plugins. This could allow any authenticated users (such as subscribers) to deactivate the SEO and Sitemap plugins from competitors. The attack could also be performed via CSRF.

Proof of Concept

/wp-admin/index.php?rank_math_deactivate_seo_plugins=1&rank_math_deactivate_sitemap_plugins=1

Affects Plugins

seo-by-rank-math

Fixed in 1.0.42.2

References

URL

https://rankmath.com/changelog/

Miscellaneous

Original Researcher

Sybre Waaijer

Submitter

Sybre Waaijer

Submitter website

https://theseoframework.com/

Submitter twitter

SybreWaaijer

Verified

WPVDB ID

4f92af29-b9af-4786-9b29-373aba7de0c2

Timeline

Publicly Published

2020-04-18 (about 6 years ago)

Added

2020-06-16 (about 5 years ago)

Last Updated

2021-05-14 (about 4 years ago)

Other

Published

Title

Published

2020-02-22

Title

CardGate < 3.1.16 - Unauthorised Payments Hijacking and Order Status Spoofing

Published

2020-12-14

Title

Limit Login Attempts Reloaded < 2.17.4 - Login Rate Limiting Bypass

Published

2017-09-08

Title

BackWPup <= 3.4.1 - Backup File Download

Published

2025-11-10

Title

Hydra Booking < 1.1.28 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation

Published

2026-02-17

Title

Passster < 4.2.26 - Global Protection Bypass