WordPress Plugin Vulnerabilities

Rank Math SEO < 1.0.236 - Contributor+ Stored XSS via Rank Math API

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Rank Math API due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
seo-by-rank-math
Fixed in 1.0.236

References

CVE
CVE-2024-13227
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/24df10fb-5143-478e-90f0-27f604ad43ee

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
b23eeba3-0efb-4141-9401-0c856cf2824e

Timeline

Publicly Published
2025-02-12 (about 1 year ago)
Added
2025-02-12 (about 1 year ago)
Last Updated
2025-02-12 (about 1 year ago)

Other

Published
Title
Published
2026-02-25
Title
TP2WP Importer <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Watched domains' Textarea
Published
2025-04-24
Title
WP Custom Post Popup <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-16
Title
Icegram Engage < 3.1.32 - Author+ Stored XSS
Published
2026-01-20
Title
Grand Tour < 5.6.2 - Unauthenticated Stored Cross-Site Scripting
Published
2026-01-09
Title
ConvertForce Popup Builder < 0.0.8 - Stored Cross-Site Scripting via entrance_animation