{"api_version":"1","generated_at":"2026-04-25T23:08:19+00:00","cve":"CVE-2020-11514","urls":{"html":"https://cve.report/CVE-2020-11514","api":"https://cve.report/api/cve/CVE-2020-11514.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-11514","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-11514"},"summary":{"title":"CVE-2020-11514","description":"The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-04-07 17:15:00","updated_at":"2023-05-26 15:02:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://rankmath.com/changelog/","name":"https://rankmath.com/changelog/","refsource":"MISC","tags":["Product","Release Notes"],"title":"The Official Rank Math SEO Changelog & Release Notes","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wordpress.org/plugins/seo-by-rank-math/#developers","name":"https://wordpress.org/plugins/seo-by-rank-math/#developers","refsource":"MISC","tags":["Product"],"title":"WordPress SEO Plugin – Rank Math | WordPress.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/","name":"https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-11514","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11514","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"11514","vulnerable":"1","versionEndIncluding":"1.0.40.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rankmath","cpe5":"rankmath","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11514","vulnerable":"1","versionEndIncluding":"1.0.40.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rankmath","cpe5":"seo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11514","vulnerable":"1","versionEndIncluding":"1.0.40.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rankmath","cpe5":"seo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"free","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-11514","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://rankmath.com/changelog/","refsource":"MISC","name":"https://rankmath.com/changelog/"},{"url":"https://wordpress.org/plugins/seo-by-rank-math/#developers","refsource":"MISC","name":"https://wordpress.org/plugins/seo-by-rank-math/#developers"},{"refsource":"MISC","name":"https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/","url":"https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/"}]}},"nvd":{"publishedDate":"2020-04-07 17:15:00","lastModifiedDate":"2023-05-26 15:02:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rankmath:seo:*:*:*:*:free:wordpress:*:*","versionEndIncluding":"1.0.40.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"11514","Ordinal":"172063","Title":"CVE-2020-11514","CVE":"CVE-2020-11514","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"11514","Ordinal":"1","NoteData":"The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"11514","Ordinal":"2","NoteData":"2020-04-07","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"11514","Ordinal":"3","NoteData":"2020-04-07","Type":"Other","Title":"Modified"}]}}}