CVE-2026-28080

The vulnerability is a missing authorization issue in the Rank Math SEO PRO plugin for WordPress, affecting versions from n/a through 3.0.95. The plugin fails to properly enforce access control on certain functions, allowing unprivileged users to perform actions intended for higher-privileged roles [1].

Attackers can exploit this by sending crafted requests to the vulnerable endpoint without needing authentication. The attack can be executed remotely over the network, and no special privileges are required. This makes it possible for an attacker to manipulate settings or access sensitive data normally restricted to administrators [1].

Successful exploitation could lead to unauthorized modifications of SEO settings, disclosure of information, or other administrative-level actions. The severity is rated as Medium (CVSS 4.3), indicating a limited impact but potential for mass exploitation [1].

The vendor has addressed the issue in version 3.0.97. Users are strongly advised to update immediately. Patchstack recommends enabling auto-updates for vulnerable plugins. As a workaround, users who cannot update should consult their hosting provider or web developer for assistance [1].