Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification
Summary
| CVE | CVE-2025-12714 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-29 11:16:15 UTC |
| Updated | 2026-05-29 13:09:05 UTC |
| Description | The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.000570000 probability, percentile 0.180580000 (date 2026-06-02)
Problem Types: CWE-862 | CWE-862 CWE-862 Missing Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Rankmath | Rank Math SEO AI SEO Tools To Dominate SEO Rankings | affected 1.0.271 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/changeset/3552223/seo-by-rank-math/trunk/includes/rest/class-... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/dd072774-6f85-42de-a9d4-68267... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-rest-helpe... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Michael Mazzolini (en)
CNA: abrahack (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-11-04T20:12:38.000Z | Vendor Notified |
| CNA | 2026-05-28T21:09:47.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.