WordPress Plugin Vulnerabilities

Rank Math SEO with AI Best SEO Tools < 1.0.219-beta - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in versions up to, and including, 1.0.218 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
seo-by-rank-math
Fixed in 1.0.219-beta

References

CVE
CVE-2024-4617
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/474fdbcb-fe3c-4a79-a847-363f81b300c2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
No
WPVDB ID
ea6bda07-2810-4546-badb-aa8fe829f431

Timeline

Publicly Published
2024-05-15 (about 1 year ago)
Added
2024-05-17 (about 1 year ago)
Last Updated
2024-05-17 (about 1 year ago)

Other

Published
Title
Published
2023-01-11
Title
Flexible Captcha <= 4.1 - Contributor+ Stored XSS
Published
2025-08-02
Title
Yogi - Health Beauty & Yoga < 2.9.3 - Reflected Cross-Site Scripting
Published
2025-08-14
Title
Inspectlet - User Session Recording and Heatmaps <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-12-05
Title
ForumWP < 2.1.3 - Reflected Cross-Site Scripting via url Parameter
Published
2024-10-21
Title
Whitelist <= 3.5 - Reflected Cross-Site Scripting