CVE-2024-3665 is a stored cross-site scripting (XSS) vulnerability identified in the Rank Math SEO with AI Best SEO Tools plugin for WordPress, present in all versions up to and including 1.0.216. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the plugin's HowTo and FAQ widgets. Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into these widgets. Because the injected scripts are stored persistently, they execute in the browsers of any users who visit the affected pages, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability does not require user interaction beyond viewing the infected page but does require the attacker to have authenticated access with contributor or higher privileges. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed, indicating the vulnerability affects resources beyond the initially compromised component. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is a failure to properly neutralize input during web page generation, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

This vulnerability can lead to significant security risks for organizations using the Rank Math SEO plugin on WordPress sites. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. Since WordPress powers a large portion of the web, and Rank Math is a popular SEO plugin, many websites could be exposed. The impact is particularly severe for sites with multiple contributors or where contributor accounts are not tightly controlled. The vulnerability undermines user trust and can lead to data leakage or compromise of administrative accounts if exploited in combination with other vulnerabilities. Although no known exploits are currently in the wild, the medium severity and ease of exploitation by authenticated users make it a credible threat. Organizations relying on this plugin for SEO should consider the risk of reputational damage, data breaches, and potential regulatory consequences if user data is compromised.

1. Immediately update the Rank Math SEO plugin to a version that patches this vulnerability once available. Monitor vendor announcements for official patches. 2. Restrict contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the HowTo and FAQ widgets of the plugin. 4. Conduct regular security audits of user-generated content, especially in SEO-related widgets, to detect suspicious scripts or code. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 6. Educate site administrators and contributors about the risks of XSS and safe content practices. 7. Consider disabling the HowTo and FAQ widgets temporarily if patching is delayed and the risk is high. 8. Monitor logs for unusual activity from contributor accounts that might indicate exploitation attempts.