CVE-2024-11620

Vulnerability

A code injection vulnerability exists in the Rank Math SEO plugin for WordPress (versions up to and including 1.0.231). The bug is classified as an improper control of generation of code ('Code Injection') issue. It resides somewhere in the plugin's code generation logic, though the specific vulnerable function is not publicly disclosed in the available references. The vulnerability is reachable only by authenticated users with certain plugin capabilities; anonymous users cannot trigger it.

Exploitation

An attacker must have a valid WordPress account with at least contributor-level access and the ability to interact with the Rank Math plugin's settings or content generation features. The exact sequence of steps is not detailed in public references, but the vulnerability allows the attacker to inject arbitrary PHP code through plugin-controlled inputs that are improperly sanitized before being used in code generation (e.g., via eval() or include() of dynamically constructed paths). Successful exploitation requires no user interaction beyond the attacker's own authenticated session.

Impact

On successful exploitation, an authenticated attacker can execute arbitrary PHP code on the server. This leads to full compromise of the WordPress site, including the ability to read, modify, or delete any data, install backdoors, and potentially pivot to other applications on the same server. The attacker gains the privileges of the web server user, which typically has broad access to the site's file system and database.

Mitigation

Rank Math SEO version 1.0.232 (released after the disclosure) fixes the vulnerability. All users should update to at least that version immediately. The plugin's WordPress.org page [1] confirms the current version is 1.0.270, which includes the patch. No workaround is available for sites that cannot upgrade. There is no evidence this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.