Home Hacking News Serious Security Vulnerabilities Discovered In Rank Math WordPress Plugin

Serious Security Vulnerabilities Discovered In Rank Math WordPress Plugin

by Abeerah Hashim
Shield Security WP plugin patched file inclusion vulnerability

Extending the stream of vulnerable WordPress plugins, now joins Rank Math. Reportedly, a couple of serious security vulnerabilities existed in the WordPress SEO Plugin – Rank Math. One of these flaws could even give admin privileges to an adversary.

Rank Math Plugin Vulnerabilities

Team Wordfence has come up with another interesting discovery this week. They found a couple of security vulnerabilities in the WordPress SEO Plugin Rank Math. They have explained their findings in a recent blog post.

One of the two security flaws is a privilege escalation vulnerability with a CVSS score of 10.0. This critical flaw existed due to an unprotected REST API endpoint in the update metadata feature. Regarding how the exploit would work, the researcher stated,

WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a $_POST request to wp-json/rankmath/v1/updateMeta, with an objectID parameter set to the User ID to be modified, an objectType parameter set to user, a meta[wp_user_level] parameter set to 10, and a meta[wp_capabilities][administrator] parameter set to 1.

Furthermore, exploiting the same vulnerability would even allow the attacker to lockout an administrator from their site.

The second vulnerability appeared due to unprotected REST API endpoint linked with a module for creating site redirects. Explaining this high-severity flaw, the blog reads,

To perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true. This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site.

Patches Rolled Out – Update Now!

After discovering the flaws on March 23, 2020, team Wordfence reached out to the plugin developers to report the bugs. Fortunately, the developers quickly worked to develop patches for the vulnerabilities.

Eventually, after three days, they rolled out the WordPress SEO Plugin – Rank Math version 10.0.41 with the fixes. Hence, users of this plugin must ensure updating their sites with the patched version to keep their sites safe.

Let us know your thoughts in the comments.

You may also like