Rank Math SEO plugin contains a missing authorization check that allows an attacker to perform actions that should be restricted to privileged users. The flaw arises from incorrectly configured access control security levels, enabling unauthorized manipulation of plugin settings or data. This could lead to unauthorized modification of SEO metadata, potential defacement, or other unintended changes to site content. The identified weakness corresponds to CWE-862, indicating an authorization bypass vulnerability.

The vulnerability affects every installation of the Rank Math SEO WordPress plugin with a version up to and including 1.0.252.1. Versions newer than this have reached a safe state after the issue was addressed by the vendor.

The CVSS score of 3.8 indicates a low severity impact, and the EPSS score of less than 1% suggests the probability of exploitation is very low. The flaw is not listed in CISA’s KEV catalog, so there is no evidence of known widespread exploitation. The likely attack vector is a remote one, where an authenticated or unauthenticated user with access to the WordPress administration panel can trigger the vulnerable functionality. The attack requires web access to the site and the ability to interact with the plugin’s administrative interface; no additional privileges beyond those normally granted to WordPress users are needed because the authorization check is missing.