Stored Cross-Site Scripting in Rank Math SEO Plugin for WordPress
CVE-2024-4627

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Seo
Vendor
CVE Published:
2 July 2024

Summary

The Rank Math SEO plugin for WordPress versions prior to 1.0.219 is susceptible to Stored Cross-Site Scripting attacks. This vulnerability arises due to the failure to properly sanitize and escape certain settings within the plugin. Consequently, users with access to General Settings, including those granted lower-level permissions through the Role Manager feature, can exploit this vulnerability to inject malicious scripts. This risk persists even when the 'unfiltered_html' capability is restricted, posing a significant security threat, particularly in multisite configurations.

References

https://wpscan.com/vulnerability/c0058fcc-36f6-40bf-9848-...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

.