A bug in the Rank Math WordPress plugin allows assigning administrator privileges to any user

In a Rank Math plugin for WordPress, installed more than 200,000 times, was detected a critical bug related to privilege escalation.

As a result of exploitation of a bug, an attacker can grant administrator privileges to any registered user of the resource.

Defiant Wordfence Threat Intelligence specialists discovered the problem in the unprotected endpoint REST-API.

Exploitation of the error allows an unauthenticated attacker to modify arbitrary metadata, including granting or revoking administrative privileges for any registered user.

Even worse, according to experts, attackers can even block real site administrators by canceling their privileges, and many WordPress sites have only one admin user.

“Please note that these attacks are only the most important features [when exploiting the vulnerability]. Depending on the other plugins installed on the site, the ability to change metadata for materials, comments and so on can potentially be used for many other exploits, such as cross-site scripting (XSS),” – write the experts.

The researchers also found a second problem that allows unauthenticated attackers to create redirects from almost anywhere on the site to any place of their choice. The bug was found in one of the Rank Math additional modules, which, as you might guess, is used to create redirects on WordPress sites.

“This attack can be used to ban access to all existing site content, with the exception of the home page, by redirecting visitors to a malicious resource,” – say the experts.

The plug-in developers have already prepared and released an updated version of Rank Math 1.0.42, where were fixed both security issues found by the researchers. Since one of the vulnerabilities is critical, users are encouraged to upgrade as soon as possible.

Reference:

WordPress SEO Plugin – Rank Math is a WordPress plugin designed to assist with search engine optimization, and it has a number of features to make doing so easier, including the ability to update metadata on posts. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking.

News about vulnerabilities in WordPress plugins were quite frequent on the information security websites, at least before attackers made attempts to earn on the COVID-19 epidemic. For example, RiskSense experts estimate that 55% of all exploited vulnerabilities are related to WordPress and Apache Struts.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Windows 10 2004 issues

After Windows 10 2004 release Microsoft is already listing issues

The big May update of Windows 10 2004 finally became available to everyone. It included …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.