CVE-2026-28080 is a missing authorization vulnerability classified under CWE-862 affecting Rank Math SEO PRO, a widely used WordPress SEO plugin. The vulnerability stems from improperly configured access control mechanisms within the plugin, which fail to adequately verify whether a user has the necessary permissions to perform certain actions. This flaw allows an attacker with low-level privileges (PR:L) to execute unauthorized actions that can alter the integrity of the system, such as modifying SEO settings or content configurations, without requiring user interaction (UI:N). The vulnerability is exploitable remotely over the network (AV:N) and does not require elevated privileges beyond low-level access. The CVSS v3.1 base score is 4.3, reflecting a medium severity due to the limited impact on confidentiality and availability, but a measurable impact on integrity. The affected versions include all versions up to 3.0.95, with no patches currently available. No known exploits have been observed in the wild. The vulnerability highlights the importance of robust access control checks in WordPress plugins, especially those managing critical site configurations. Organizations using Rank Math SEO PRO should be vigilant and monitor for updates or patches from the vendor.

The primary impact of this vulnerability is on the integrity of websites using Rank Math SEO PRO. Attackers with low-level access could manipulate SEO settings or other plugin configurations, potentially degrading site performance, misleading search engines, or injecting malicious SEO content. While confidentiality and availability are not directly affected, the integrity compromise can lead to reputational damage, loss of search engine ranking, and indirect financial losses. Since Rank Math SEO PRO is a popular plugin among WordPress users globally, a large number of websites could be affected, especially those with multiple users or contributors with limited privileges. The absence of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks or combined with other vulnerabilities to escalate impact. Organizations relying heavily on organic search traffic or digital marketing may experience significant operational disruption if exploited.

Until an official patch is released, organizations should implement strict role-based access controls within WordPress to limit the number of users with low-level privileges who can access or modify Rank Math SEO PRO settings. Regularly audit user permissions and remove unnecessary accounts or privileges. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. Monitor logs for unusual activity related to SEO configuration changes. Consider temporarily disabling or replacing the plugin if the risk is unacceptable and no timely patch is available. Stay informed through vendor advisories and apply patches immediately once released. Additionally, conduct penetration testing focused on access control weaknesses in WordPress plugins to proactively identify similar issues.