Extending the stream of vulnerable WordPress plugins, now joins Rank Math. Reportedly, a couple of serious security vulnerabilities existed in the WordPress SEO Plugin – Rank Math. One of these flaws could even give admin privileges to an adversary.
Rank Math Plugin Vulnerabilities
Team Wordfence has come up with another interesting discovery this week. They found a couple of security vulnerabilities in the WordPress SEO Plugin Rank Math. They have explained their findings in a recent blog post.
One of the two security flaws is a privilege escalation vulnerability with a CVSS score of 10.0. This critical flaw existed due to an unprotected REST API endpoint in the update metadata feature. Regarding how the exploit would work, the researcher stated,
WordPress user permissions are stored in the
usermetatable, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a$_POSTrequest towp-json/rankmath/v1/updateMeta, with anobjectIDparameter set to the User ID to be modified, anobjectTypeparameter set touser, ameta[wp_user_level]parameter set to10, and ameta[wp_capabilities][administrator]parameter set to1.
Furthermore, exploiting the same vulnerability would even allow the attacker to lockout an administrator from their site.
The second vulnerability appeared due to unprotected REST API endpoint linked with a module for creating site redirects. Explaining this high-severity flaw, the blog reads,
To perform this attack, an unauthenticated attacker could send a
$_POSTrequest torankmath/v1/updateRedirectionwith aredirectionUrlparameter set to the location they wanted the redirect to go to, aredirectionSourcesparameter set to the location to redirect from, and ahasRedirectparameter set totrue. This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site.
Patches Rolled Out – Update Now!
After discovering the flaws on March 23, 2020, team Wordfence reached out to the plugin developers to report the bugs. Fortunately, the developers quickly worked to develop patches for the vulnerabilities.
Eventually, after three days, they rolled out the WordPress SEO Plugin – Rank Math version 10.0.41 with the fixes. Hence, users of this plugin must ensure updating their sites with the patched version to keep their sites safe.
Let us know your thoughts in the comments.