CVE-2024-9161: 
WordPress vulnerability analysis and mitigation

The Rank Math SEO WordPress plugin (versions up to 1.0.228) contains a vulnerability identified as CVE-2024-9161, discovered and disclosed on October 4, 2024. The vulnerability stems from a missing capability check on the 'update_metadata' function, affecting the plugin's data security and access control mechanisms (NVD, WPScan).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 score of 6.5 (Medium). The security flaw exists in the plugin's metadata handling functionality, specifically in the 'updatemetadata' function implementation. This vulnerability allows unauthenticated attackers to manipulate metadata entries beginning with 'rankmath' and perform unauthorized operations on user and term metadata (Wordfence).

The vulnerability enables unauthorized attackers to insert new metadata, update existing metadata with the 'rank_math' prefix, and delete arbitrary user and term metadata. A critical impact of this vulnerability is the potential loss of administrator dashboard access for registered users, including administrators, due to the deletion of essential user metadata (NVD).

The vulnerability has been patched in version 1.0.229 of the Rank Math SEO plugin. Users are strongly advised to update to this version or later to protect against potential attacks (WPScan).