Extending the stream of vulnerable WordPress plugins, now joins Rank Math. Reportedly, a couple of serious security vulnerabilities existed in the WordPress SEO Plugin – Rank Math. One of these flaws could even give admin privileges to an adversary.
Rank Math Plugin Vulnerabilities
Team Wordfence has come up with another interesting discovery this week. They found a couple of security vulnerabilities in the WordPress SEO Plugin Rank Math. They have explained their findings in a recent blog post.
One of the two security flaws is a privilege escalation vulnerability with a CVSS score of 10.0. This critical flaw existed due to an unprotected REST API endpoint in the update metadata feature. Regarding how the exploit would work, the researcher stated,
WordPress user permissions are stored in the
usermetatable, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a
wp-json/rankmath/v1/updateMeta, with an
objectIDparameter set to the User ID to be modified, an
objectTypeparameter set to
meta[wp_user_level]parameter set to
10, and a
meta[wp_capabilities][administrator]parameter set to
Furthermore, exploiting the same vulnerability would even allow the attacker to lockout an administrator from their site.
The second vulnerability appeared due to unprotected REST API endpoint linked with a module for creating site redirects. Explaining this high-severity flaw, the blog reads,
To perform this attack, an unauthenticated attacker could send a
redirectionUrlparameter set to the location they wanted the redirect to go to, a
redirectionSourcesparameter set to the location to redirect from, and a
hasRedirectparameter set to
true. This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site.
Patches Rolled Out – Update Now!
After discovering the flaws on March 23, 2020, team Wordfence reached out to the plugin developers to report the bugs. Fortunately, the developers quickly worked to develop patches for the vulnerabilities.
Eventually, after three days, they rolled out the WordPress SEO Plugin – Rank Math version 10.0.41 with the fixes. Hence, users of this plugin must ensure updating their sites with the patched version to keep their sites safe.
Let us know your thoughts in the comments.