Rank Math SEO < 1.0.229 – Unauthenticated User and Term Metadata Insert/Update/Deletion | CVE 2024-9161 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'update_metadata' function. This makes it possible for unauthenticated attackers to insert new and update existing metadata beginning with 'rank_math', and delete arbitrary existing user metadata and term metadata. Deleting existing usermeta can cause a loss of access to the administrator dashboard for any registered users, including Administrators.

Affects Plugins

seo-by-rank-math

Fixed in 1.0.229

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7df39a64-76c5-4ebe-a271-44bd147a3a86

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Leo

Verified

No

WPVDB ID

95be2559-f0e2-4e98-9bef-3989df0d25bf

Timeline

Publicly Published

2024-10-04 (about 1 year ago)

Added

2024-10-07 (about 1 year ago)

Last Updated

2024-10-07 (about 1 year ago)

Other

Published

Title

Published

2023-09-22

Title

Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure

Published

2024-06-18

Title

MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-25

Title

Quiz Maker Business, Developer, and Agency - Unauthenticated Stored XSS

Published

2023-12-18

Title

Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update

Published

2025-05-07

Title

Graphina < 3.0.5 - Missing Authorization