Description
Missing Authorization vulnerability in Rank Math Rank Math SEO PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rank Math SEO PRO: from n/a through 3.0.95.
Published: 2026-03-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Broken Access Control
Action: Patch
AI Analysis

Impact

The Rank Math SEO PRO plugin suffers from a Missing Authorization flaw, categorized as CWE‑862. Because the plugin fails to enforce proper access checks for certain operations, an attacker could execute privileged functions or view sensitive data that should be restricted. The flaw does not provide remote code execution or denial of service; its impact is limited to unauthorized use of the plugin’s administrative capabilities.

Affected Systems

This vulnerability affects any WordPress site running Rank Math SEO PRO version 3.0.95 or earlier. The vendor is Rank Math. No specific version impact ranges beyond 3.0.95 are provided, so all earlier releases are considered vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, and the EPSS score below 1% suggests a low probability of exploitation. The issue is not catalogued in the CISA KEV list. Likely exploitation would occur over the web: an authenticated user or one who can send crafted HTTP requests to the plugin’s endpoints may bypass role checks and access privileged settings. Because it requires at least a basic user account with permission to interact with the plugin, the threat surface is limited compared to fully unauthenticated attacks.

Generated by OpenCVE AI on April 16, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rank Math SEO PRO to the latest release that addresses the broken access control.
  • If an upgrade cannot be performed immediately, remove or disable Rank Math SEO PRO until a patched version is installed.
  • Ensure that only administrator users have the capability to access the plugin’s settings; review and tighten role permissions in WordPress.

Generated by OpenCVE AI on April 16, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rank Math Seo
Rank Math Seo rank Math Seo
Wordpress
Wordpress wordpress
Vendors & Products Rank Math Seo
Rank Math Seo rank Math Seo
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Rank Math Rank Math SEO PRO allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rank Math SEO PRO: from n/a through 3.0.95.
Title WordPress Rank Math SEO PRO plugin <= 3.0.95 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rank Math Seo Rank Math Seo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-06T18:09:03.175Z

Reserved: 2026-02-25T12:13:47.060Z

Link: CVE-2026-28080

cve-icon Vulnrichment

Updated: 2026-03-06T18:08:54.636Z

cve-icon NVD

Status : Deferred

Published: 2026-03-06T12:15:54.890

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses