CVE-2020-11514

CRITICAL EXPLOITED NUCLEI

Rankmath Seo < 1.0.40.2 - Missing Authorization

Title source: rule

Description

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint.

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2020/CVE-2020-11514.md

View Code ZIP pw:eip

Nuclei Templates (1)

Rank Math SEO <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint

CRITICALVERIFIEDby s4e-io

References (3)

[Product, Release Notes] https://rankmath.com/changelog/

[Product] https://wordpress.org/plugins/seo-by-rank-math/#developers

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/

Scores

CVSS v3 9.8

EPSS 0.6554

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-07-19

CWE

CWE-862

Status published

Products (1)

rankmath/seo < 1.0.40.2

Published Apr 07, 2020

Tracked Since Feb 18, 2026