CVE-2024-13229 is a vulnerability identified in the Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress, affecting all versions up to and including 1.0.235. The root cause is an improper access control issue (CWE-284) where the update_metadata() function lacks a proper capability check. This flaw allows authenticated users with Contributor-level permissions or higher to delete any schema metadata assigned to posts within the WordPress site. Schema metadata is critical for SEO as it helps search engines understand the content structure, and its deletion can degrade SEO performance and data integrity. The vulnerability requires the attacker to be authenticated with at least Contributor privileges, which are commonly granted to users who can create and edit posts but not publish them. There is no requirement for user interaction beyond authentication, and the vulnerability does not impact confidentiality or availability, only integrity. The CVSS v3.1 base score is 4.3, indicating medium severity, with an attack vector of network, low attack complexity, and privileges required. No known exploits have been reported in the wild, and no patches were linked at the time of publication. The vulnerability was published on February 13, 2025, and was reserved on January 8, 2025. The issue is significant because many WordPress sites rely on Rank Math SEO for managing SEO metadata, making this a widespread risk if left unmitigated.

The primary impact of CVE-2024-13229 is the unauthorized deletion of schema metadata from posts on WordPress sites using the Rank Math SEO plugin. This compromises the integrity of SEO data, potentially leading to degraded search engine rankings and reduced visibility of affected websites. While the vulnerability does not expose sensitive data or cause denial of service, the loss of structured metadata can have significant business consequences for organizations relying on SEO for traffic and revenue. Attackers with Contributor-level access can exploit this flaw to sabotage SEO efforts, which could be leveraged in targeted attacks against competitors or to disrupt content marketing strategies. Since Contributor access is relatively low privilege, the risk is elevated in environments where user access controls are lax or where many users have such permissions. The scope of affected systems is broad, given the popularity of WordPress and Rank Math SEO globally. However, the impact is limited to sites that have both the plugin installed and users with Contributor or higher roles. No known active exploitation reduces immediate risk but does not eliminate the threat of future attacks.

To mitigate CVE-2024-13229, organizations should first verify whether their WordPress installations use the Rank Math SEO plugin and identify the version in use. Immediate mitigation involves restricting Contributor-level user permissions by auditing and minimizing the number of users with such access. Administrators should enforce the principle of least privilege, ensuring only trusted users have Contributor or higher roles. Until an official patch is released, consider disabling or removing the Rank Math SEO plugin if feasible, especially on sites with multiple contributors. Monitoring and logging changes to post metadata can help detect unauthorized deletions early. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious update_metadata() function calls may provide temporary protection. Once a patch is available, promptly apply it to restore proper capability checks. Additionally, educating content contributors about the risk and encouraging reporting of unusual behavior can enhance detection. Regular backups of site content and metadata are essential to recover quickly from any unauthorized changes.