CVE-2020-11514

CRITICAL EXPLOITED NUCLEI

Rank Math SEO < 1.0.40.2 - Unauthenticated Arbitrary Metadata Update via rankmath/v1/updateMeta Endpoint

Title source: llm

Exploitation Summary

CVE-2020-11514 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2020-11514, demonstrating how unauthenticated attackers can exploit the Rank Math WordPress plugin's unsecured REST API endpoint to update arbitrary metadata, including user capabilities, leading to privilege escalation.

Description

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint.

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2020/CVE-2020-11514.md

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2020-11514, demonstrating how unauthenticated attackers can exploit the Rank Math WordPress plugin's unsecured REST API endpoint to update arbitrary metadata, including user capabilities, leading to privilege escalation.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Rank Math WordPress plugin (through 1.0.40.2)

No auth needed

Prerequisites: WordPress site with Rank Math plugin installed and vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

Rank Math SEO <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint

CRITICALVERIFIEDby s4e-io

References (3)

Core 3

Core References

Product, Release Notes x_refsource_misc

https://rankmath.com/changelog/

Product x_refsource_misc

https://wordpress.org/plugins/seo-by-rank-math/#developers

Exploit, Third Party Advisory x_refsource_misc

https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/

Scores

CVSS v3 9.8

EPSS 0.0911

EPSS Percentile 94.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-07-19

CWE

CWE-862

Status published

Products (1)

rankmath/seo < 1.0.40.2

Published Apr 07, 2020

Tracked Since Feb 18, 2026