In a Rank Math plugin for WordPress, installed more than 200,000 times, was detected a critical bug related to privilege escalation.As a result of exploitation of a bug, an attacker can grant administrator privileges to any registered user of the resource.
Defiant Wordfence Threat Intelligence specialists discovered the problem in the unprotected endpoint REST-API.
Exploitation of the error allows an unauthenticated attacker to modify arbitrary metadata, including granting or revoking administrative privileges for any registered user.
Even worse, according to experts, attackers can even block real site administrators by canceling their privileges, and many WordPress sites have only one admin user.
“Please note that these attacks are only the most important features [when exploiting the vulnerability]. Depending on the other plugins installed on the site, the ability to change metadata for materials, comments and so on can potentially be used for many other exploits, such as cross-site scripting (XSS),” – write the experts.
The researchers also found a second problem that allows unauthenticated attackers to create redirects from almost anywhere on the site to any place of their choice. The bug was found in one of the Rank Math additional modules, which, as you might guess, is used to create redirects on WordPress sites.
“This attack can be used to ban access to all existing site content, with the exception of the home page, by redirecting visitors to a malicious resource,” – say the experts.
The plug-in developers have already prepared and released an updated version of Rank Math 1.0.42, where were fixed both security issues found by the researchers. Since one of the vulnerabilities is critical, users are encouraged to upgrade as soon as possible.
WordPress SEO Plugin – Rank Math is a WordPress plugin designed to assist with search engine optimization, and it has a number of features to make doing so easier, including the ability to update metadata on posts. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking.
News about vulnerabilities in WordPress plugins were quite frequent on the information security websites, at least before attackers made attempts to earn on the COVID-19 epidemic. For example, RiskSense experts estimate that 55% of all exploited vulnerabilities are related to WordPress and Apache Struts.
User Review( votes)