Description
The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks.
Published: 2026-01-07
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized code injection via header/footer modification
Action: Apply Update
AI Analysis

Impact

The vulnerability allows authenticated attackers with Editor-level access or higher to add arbitrary header and footer code blocks to a WordPress site using the Rankology SEO and Analytics Tool plugin. This flaw arises from a missing capability check, enabling users to inject code that could be executed when visitors load the site, potentially leading to cross‑site scripting, remote code execution, or the insertion of malware. The weakness is classified as CWE‑285, Unauthorized Access.

Affected Systems

The plugin Rankology SEO and Analytics Tool for WordPress, in all releases up to version 2.0, is affected. No other versions are reported as vulnerable.

Risk and Exploitability

The CVSS score of 2.7 indicates low to moderate severity, and the EPSS score of less than 1% suggests a small likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV. Attackers must be authenticated as an Editor or higher to use this flaw, so the attack surface is limited to users who have been granted these roles on the site.

Generated by OpenCVE AI on April 21, 2026 at 00:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rankology SEO and Analytics Tool to the latest version (>=2.1) where the capability check is fixed.
  • Restrict or remove the "rankology_code_block" capability from Editor and lower roles until the update is applied, ensuring that only administrators can add header/footer code.
  • Continuously monitor the plugin’s release notes and WordPress security advisories, and consider disabling the plugin on production sites until a patched version is available.

Generated by OpenCVE AI on April 21, 2026 at 00:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks.
Title Rankology SEO and Analytics Tool <= 2.0 - Incorrect Authorization to Authenticated (Editor+) Header & Footer Code Creation
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:51.529Z

Reserved: 2025-11-10T16:16:36.749Z

Link: CVE-2025-12958

cve-icon Vulnrichment

Updated: 2026-01-07T16:28:28.117Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:47.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses