CVE-2024-9314

Name of the Vulnerable Software and Affected Versions Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress versions up to, and including, 1.0.228

Description The issue is related to PHP Object Injection via deserialization of untrusted input in the set redirections function. This allows authenticated attackers with Administrator-level access and above to inject a PHP Object. No known POP chain is present in the vulnerable software, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions up to, and including, 1.0.228, consider disabling the set redirections function until a patch is available to prevent PHP Object Injection. Restrict access to the vulnerable function to minimize the risk of exploitation. Avoid using untrusted input in the set redirections function to prevent deserialization of malicious data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.