CVE-2024-9161
📋 TL;DR
The Rank Math SEO WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to modify or delete metadata. This can lead to data manipulation, SEO sabotage, or administrator lockout by deleting user metadata. All WordPress sites using Rank Math SEO plugin versions up to 1.0.228 are affected.
💻 Affected Systems
- Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
📦 What is this software?
Seo by Rankmath
⚠️ Risk & Real-World Impact
Worst Case
Attackers delete administrator usermeta, causing complete loss of admin dashboard access, then manipulate SEO metadata to redirect traffic or inject malicious content.
Likely Case
SEO metadata manipulation affecting search rankings, or targeted deletion of specific user metadata causing access issues.
If Mitigated
No impact if proper network segmentation and web application firewalls block unauthorized REST API access.
🎯 Exploit Status
Simple HTTP requests to WordPress REST API endpoints can exploit this vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.229 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3161896/
Restart Required: No
Instructions:
1. Log into WordPress admin dashboard. 2. Navigate to Plugins → Installed Plugins. 3. Find Rank Math SEO plugin. 4. Click 'Update Now' if available, or download version 1.0.229+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable REST API for unauthenticated users
allAdd code to functions.php to restrict REST API access to authenticated users only
add_filter('rest_authentication_errors', function($result) { if (!is_user_logged_in()) { return new WP_Error('rest_forbidden', 'You are not allowed to access REST API.', array('status' => 401)); } return $result; });
Web Application Firewall Rule
allBlock requests to Rank Math REST endpoints from unauthenticated users
WAF rule: Block POST/PUT/DELETE requests to /wp-json/rankmath/* from IPs without valid WordPress authentication cookies
🧯 If You Can't Patch
- Temporarily disable Rank Math SEO plugin until patched version is available
- Implement strict network ACLs to limit WordPress REST API access to trusted IPs only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Rank Math SEO → Version number. If version is 1.0.228 or lower, system is vulnerable.Check Version:
wp plugin list --name='seo-by-rank-math' --field=versionVerify Fix Applied:
After update, verify version shows 1.0.229 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/PUT/DELETE requests to /wp-json/rankmath/* endpoints from unauthenticated IPs
- Multiple failed login attempts following metadata deletion events
Network Indicators:
- HTTP 200 responses to rankmath REST API calls from IPs without authentication headers
- Unusual metadata modification patterns in database logs
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/rankmath/*" AND (http_method="POST" OR http_method="PUT" OR http_method="DELETE") AND NOT user_agent="WordPress/*")🔗 References
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L120
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L161
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L162
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L64
- https://plugins.trac.wordpress.org/changeset/3161896/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7df39a64-76c5-4ebe-a271-44bd147a3a86?source=cve
