WordPress Plugin Vulnerabilities

Rank Math SEO PRO < 3.0.36 - Unauthenticated Reflected XSS

Description

The plugin does not sanitize and escape a parameter before outputting it back in the page, allowing an unauthenticated attacker to inject web scripts that will execute when a visitor follows a crafted link to the page.

Affects Plugins

Plugin icon
seo-by-rank-math-pro
Fixed in 3.0.36

References

CVE
CVE-2023-32800

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
9b3c8be1-2522-43fb-b0ae-7739dd46079e

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2026-04-15
Title
Vantage < 1.20.33 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Block Text Content
Published
2024-05-17
Title
ArForms < 6.6 - Admin+ Stored XSS
Published
2024-06-22
Title
WP Affiliate Platform < 6.5.1 - Reflected XSS via Lead Editing
Published
2025-01-06
Title
LDD Directory Lite <= 3.3 - Reflected Cross-Site Scripting via remove_query_arg Parameter
Published
2025-01-16
Title
Notifications Center <= 1.5.2 - Reflected Cross-Site Scripting