CVE-2024-3665 in Rank Math SEO with AI SEO Tools Plugin
Summary
by MITRE • 04/23/2024
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/15/2025
The vulnerability identified as CVE-2024-3665 affects the Rank Math SEO with AI SEO Tools plugin for WordPress, specifically targeting versions up to and including 1.0.216. This represents a critical security flaw that exploits stored cross-site scripting vulnerabilities within the plugin's HowTo and FAQ widgets. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's functionality.
The technical flaw manifests when authenticated attackers with contributor-level access or higher exploit the insufficient validation of user inputs within the plugin's widget components. These attackers can inject malicious scripts through the HowTo and FAQ widget interfaces, which then get stored within the WordPress database. When other users access pages containing these compromised widgets, the injected scripts execute in their browsers, creating a persistent cross-site scripting attack vector that can affect any user who views the compromised content.
This vulnerability creates significant operational impact for WordPress sites utilizing the affected plugin, as it allows attackers to escalate their privileges and potentially compromise the entire site. The stored nature of the XSS vulnerability means that malicious scripts remain active even after the initial injection, continuously affecting users who access pages containing the compromised widgets. Attackers could potentially steal session cookies, redirect users to malicious sites, or execute additional attacks through the compromised user contexts.
The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and demonstrates how insufficient input validation and output escaping creates persistent security risks. From an ATT&CK framework perspective, this vulnerability enables techniques such as credential access through session hijacking and initial access through web application exploitation. Organizations should immediately update to the latest version of the Rank Math plugin to mitigate this risk, while implementing additional security measures including role-based access controls and regular security audits of third-party plugins.
The affected plugin's architecture fails to implement proper sanitization routines for user-supplied attributes within its widget components, creating a pathway for attackers to inject malicious code that persists across multiple user sessions. This flaw represents a classic example of how inadequate security controls in content management systems can create long-term exposure risks, particularly when privileged users have access to plugin interfaces that process unvalidated user input. The vulnerability underscores the critical importance of implementing robust input validation and output escaping mechanisms in all web application components, especially those that handle user-generated content or administrative interfaces.