cbcvebase.
CVE-2024-9161
published 2024-10-05

CVE-2024-9161: The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing…

PriorityP276medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.04%
78.8th percentile
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'update_metadata' function in all versions up to, and including, 1.0.228. This makes it possible for unauthenticated attackers to insert new and update existing metadata beginning with 'rank_math', and delete arbitrary existing user metadata and term metadata. Deleting existing usermeta can cause a loss of access to the administrator dashboard for any registered users, including Administrators.

Affected

2 ranges
VendorProductVersion rangeFixed in
rankmathrank_math_seo_ai_seo_tools_to_dominate_seo_rankings<= 1.0.228
rankmathseo< 1.0.2291.0.229

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/rankmath/v1/updateMeta
path/wp-content/plugins/seo-by-rank-math/
path/wp-content/plugins/seo-by-rank-math/readme.txt
commandPOST /wp-json/rankmath/v1/updateMeta with objectType=user, objectID, meta containing rank_math-prefixed keys
  • Detect unauthenticated POST requests to the /wp-json/rankmath/v1/updateMeta REST endpoint; no authentication headers should be present for malicious requests.
  • Look for JSON POST bodies to /wp-json/rankmath/v1/updateMeta containing 'objectType' set to 'user' or 'term' from unauthenticated sources.
  • Probe for plugin presence by checking for HTTP 200 on /wp-content/plugins/seo-by-rank-math/readme.txt containing 'Rank Math' before exploitation attempt.
  • Monitor for sudden loss of usermeta for administrator accounts (e.g., capabilities key deleted), which may indicate exploitation causing admin lockout.
  • ·Only metadata keys beginning with 'rank_math' can be inserted or updated; arbitrary key names cannot be written via this vulnerability.
  • ·Deletion of metadata is not restricted to 'rank_math'-prefixed keys — arbitrary existing user metadata and term metadata can be deleted.
  • ·Affected versions are all releases up to and including 1.0.228; version 1.0.229 and later are patched.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.