Defiant’s Wordfence Threat Intelligence team discovered a critical privilege escalation vulnerability in the WordPress SEO Plugin – Rank Math plugin that could allow attackers to give administrator privileges to any registered user.
Rank Math is a WordPress plugin that helps website owners to attract more traffic to their sites through search engine optimization (SEO).
The WordPress plugin is currently installed on more than 200,000 sites.
Rank Math practically configures itself using a setup Wizard that sets up SEO for WordPress perfectly.
The setup wizard features support for Google Schema Markup (aka Rich Snippets), keyword optimization, Google Search Console integration, Google keyword rank tracking, and more
The issue resides in an unprotected REST-API endpoint, the issue could be exploited by an unauthenticated attacker to update arbitrary metadata, which ones that could grant or revoke administrative privileges for any registered user.
“The most critical vulnerability allowed an
Attackers could also exploit the issue to revoke administrator privileges to
“Alternatively, an attacker could completely revoke an existing administrator’s
Experts also spotted a second flaw that made it possible for
The flaw resides in one of the optional plugin modules that would help users to create redirects on their WordPress websites.
“In order to perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true.” continues the post. “This attack could be used to prevent access to all of a site’s existing content, except for the
Below the disclosure timeline:
March 23, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities.
March 24, 2020– Initial contact with the plugin’s developer team. Firewall rule released for Wordfence Premium users.
March 25, 2020 – Plugin developer confirms appropriate inbox for handling discussion. Full vulnerability disclosure sent.
March 26, 2020 – Patched version of plugin released.
April 23, 2020 – Firewall rule becomes available to Wordfence free users.
Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.
A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:
I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.
(SecurityAffairs – WordPress, hacking)