CVE-2024-4627: Rank Math SEO < 1.0.219 - Authenticated Stored XSS
First published: Tue Jul 02 2024(Updated: )
The Rank Math SEO WordPress plugin before 1.0.219 does not sanitise and escape some of its settings, which could allow users with access to the General Settings (by default admin, however such access can be given to lower roles via the Role Manager feature of the Rank Math SEO WordPress plugin before 1.0.219) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rank Math SEO | <1.0.219 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-4627?
CVE-2024-4627 has a moderate severity rating due to its potential for unauthorized access to sensitive settings.
How do I fix CVE-2024-4627?
To fix CVE-2024-4627, update the Rank Math SEO plugin to version 1.0.219 or later.
Who is affected by CVE-2024-4627?
CVE-2024-4627 affects users of the Rank Math SEO WordPress plugin prior to version 1.0.219.
What are the potential impacts of CVE-2024-4627?
If exploited, CVE-2024-4627 could allow unauthorized users to change SEO settings on the site.
Is there a workaround for CVE-2024-4627?
A temporary workaround for CVE-2024-4627 is to restrict access to the General Settings for lower role users until the plugin is updated.
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/event
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/rankmath
- canonical/rank math seo