CVE-2024-13227 - Stored XSS Vulnerability in Rank Math SEO Plugin for WordPress – What You Need To Know

Published: June 2024

Introduction

A new critical vulnerability, CVE-2024-13227, has been discovered in the popular Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress. This flaw can let attackers inject malicious scripts into your website, putting both your site and its visitors at risk. If your site uses Rank Math version 1..235 or below, you need to act now.

What's the Problem?

This vulnerability is a classic Stored Cross-Site Scripting (Stored XSS) issue. It happens because the Rank Math SEO plugin fails to properly sanitize (clean) and escape (secure) user inputs via its Rank Math API. This means attackers with even contributor access can inject harmful JavaScript into your site.

When someone visits a page with the malicious code, their web browser will run it. This can lead to things like:

Attacker logs in to your WordPress with contributor-level access.

2. They create or edit a page/post and inject a malicious script into a vulnerable field handled by the Rank Math API (for example, a custom meta field).

The input is not sanitized or escaped.

4. The saved script is loaded and executed by any user (admin, visitor) who views the page/post.

Suppose the attacker fills a meta field with this payload

<script>alert('Hacked via CVE-2024-13227');</script>

If the plugin loads this content in the HTML response without escaping, every visitor’s browser will pop up an alert. Real attackers usually go for more dangerous payloads.

Example PHP snippet of risky code (vulnerable)

// Hypothetical vulnerable code in Rank Math API handler
echo $_POST['rank_math_custom_title']; // No sanitization!

How it should be fixed

echo esc_html( $_POST['rank_math_custom_title'] ); // Safe output

Attackers can embed malicious scripts in your pages or posts.

- Visitors and especially admins who view the infected content can have their accounts hijacked or data stolen.

Update Rank Math SEO Plugin Immediately!

The safest fix is upgrading to the latest version where this vulnerability is patched. Official plugin page

References and Further Reading

- Original Wordfence Advisory
- NVD Entry for CVE-2024-13227
- Rank Math SEO Plugin on WordPress.org
- OWASP XSS Cheat Sheet

Conclusion

CVE-2024-13227 is a serious vulnerability you can’t ignore if you use the Rank Math SEO plugin. Stored XSS can quickly lead to bigger problems on your site. Make sure you:

Stay safe and happy blogging!

*This post is exclusively written for this request. Do not copy without credit.*

Timeline

Published on: 02/13/2025 05:15:13 UTC
Last modified on: 02/24/2025 16:44:13 UTC