This vulnerability arises from the Rank Math SEO WordPress plugin inserting sensitive information into outbound data, enabling attackers to retrieve embedded sensitive data such as configuration settings or internal credentials. The flaw results in data leakage that could expose confidential information about the website or its administrators, potentially allowing an attacker to gain insights into backend operations. The impact is limited to confidentiality loss rather than authorization or availability disruption, but the exposure of sensitive data can facilitate further attacks.

The Rank Math SEO plugin versions earlier than or equal to 1.0.252.1 on WordPress sites are affected. This includes any installation of the Rank Math SEO plugin up to that revision, regardless of the WordPress core version. Administrators should verify the exact plugin version and consider this scope for remediation.

The CVSS score of 4.3 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests that the likelihood of exploitation is currently very low. The issue is not listed in the CISA KEV catalog, further reducing the risk of widespread exploitation. Attacks likely would occur by exploiting the plugin’s handling of outgoing data; an attacker would need to interact with the plugin or exploit an existing compromise of the WordPress site to trigger the data leakage. No additional prerequisites are stated in the available information.