Description
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Rank Math SEO plugin for WordPress contains a missing capability check in the update_site_editor_homepage function. Because the check is omitted, an unauthenticated user can call the REST endpoint and change critical settings such as the homepage title, meta description, breadcrumbs label, and social media metadata. These changes can degrade search engine rankings, mislead visitors, and inject malicious content wherever breadcrumbs are displayed.

Affected Systems

The vulnerability affects all installations of the Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin up to and including version 1.0.271. It applies to the WordPress plugin across all supported WordPress sites that run these plugin versions.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability has not been catalogued in the CISA KEV. Attackers could exploit this via an unauthenticated REST call, allowing arbitrary modification of plugin configuration without any authentication or authorization. The lack of a pre‑authorization check makes exploitation straightforward, and once the settings are altered, malicious content can appear on every page that renders breadcrumbs.

Generated by OpenCVE AI on May 29, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Rank Math SEO plugin to a version newer than 1.0.271 so that the safeguard is in place.
  • If the plugin cannot be updated immediately, remove or disable it to prevent the vulnerable endpoint from being reachable.
  • Add a restriction to the REST API that blocks unauthenticated access to the update_site_editor_homepage endpoint or implement custom access controls to enforce proper authorization.

Generated by OpenCVE AI on May 29, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Rankmath
Rankmath rankmath Seo Ai Seo Tools To Dominate Seo Rankings
Wordpress
Wordpress wordpress
Vendors & Products Rankmath
Rankmath rankmath Seo Ai Seo Tools To Dominate Seo Rankings
Wordpress
Wordpress wordpress

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used.
Title Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rankmath Rankmath Seo Ai Seo Tools To Dominate Seo Rankings
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T12:55:17.214Z

Reserved: 2025-11-04T19:56:00.630Z

Link: CVE-2025-12714

cve-icon Vulnrichment

Updated: 2026-05-29T12:55:13.761Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T11:16:15.700

Modified: 2026-05-29T13:09:05.450

Link: CVE-2025-12714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T12:00:11Z

Weaknesses