VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2025-12714

CVE-2025-12714

Description

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Rank Math SEO plugin <=1.0.271 has a missing capability check on a REST endpoint, allowing unauthenticated attackers to modify SEO settings.

Vulnerability

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress (all versions up to and including 1.0.271) is vulnerable to unauthorized modification of plugin settings due to a missing capability check on the update_site_editor_homepage function exposed via a REST route in /rankmath/v1/updateSiteEditorHomepage. The affected code resides in class-shared.php, where the function lacks a proper permission callback. The vulnerability allows unauthenticated attackers to send a POST request to this endpoint without any authentication or authorization checks [1][2][3].

Exploitation

An attacker with network access to the WordPress site can send a crafted POST request to the REST endpoint /rankmath/v1/updateSiteEditorHomepage with parameters that modify plugin settings such as homepage_title, meta_description, breadcrumbs_label, and social media metadata (twitter_data and facebook_data). The attacker does not need any prior authentication or specific user privileges, as the missing permission check allows unauthenticated access to the endpoint [1][2][3].

Impact

Successful exploitation enables the attacker to alter key SEO-related settings of the Rank Math plugin. This includes changing the homepage title and meta description (used in search engine results), modifying the breadcrumbs label (displayed across all site pages), and updating social media metadata (used when links are shared on platforms like Twitter or Facebook). These changes can have severe consequences on the site's SEO rankings and can cause malicious or misleading content to appear on all pages where breadcrumbs are used, potentially harming the site's reputation and user trust [1][2][3][4].

Mitigation

The vulnerability was addressed in version 1.0.272 of the Rank Math SEO plugin, which was released with a fix that adds proper permission checks to the update_site_editor_homepage function. WordPress site administrators should update the plugin to version 1.0.272 or later immediately. No other workaround is documented in the available references. The plugin is actively maintained and not end-of-life. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory publication date [4].

References
  1. https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L122
  2. https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L339
  3. https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L129
  4. https://plugins.trac.wordpress.org/changeset/3552223/seo-by-rank-math/trunk/includes/rest/class-rest-helper.php

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
r3552223
https://plugins.svn.wordpress.org/seo-by-rank-mathvia nvd-ref
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.