CVE-2026-34892

Vulnerability

The Rank Math SEO plugin for WordPress versions up to and including 1.0.271 contains a broken access control vulnerability. This flaw arises from missing authorization or nonce token checks in certain functions, allowing a user with subscriber-level privileges to execute actions intended for higher-privileged roles such as administrators [1].

Exploitation

An attacker must have a valid subscriber account on a WordPress site running the vulnerable plugin. No additional network position or user interaction beyond logging in as a subscriber is required. The attacker can then directly invoke the vulnerable endpoints to perform actions like modifying SEO settings or other administrative tasks. This vulnerability is expected to be exploited in mass campaigns targeting thousands of sites [1].

Impact

Successful exploitation enables an unprivileged subscriber to gain unauthorized access to administrative functions, potentially leading to information disclosure, site defacement, or further compromise of the WordPress installation. The CVSS v3 score is 6.5 (Medium) [1].

Mitigation

The vendor has released version 1.0.271.1 which fixes the broken access control. Users should update to this version or later immediately. If updating is not possible, applying a mitigation rule from Patchstack or contacting the hosting provider for assistance is recommended [1].