In WordPress CEO Plugin
Rank Math installed over 200,000 times, a critical privilege escalation vulnerability has been discovered. As a result of its exploitation, an attacker can grant administrator privileges to any registered user of the resource. The issue was discovered by Defiant Wordfence Threat Intelligence in an unprotected REST-API endpoint. Exploiting the bug allows an unauthenticated attacker to change arbitrary metadata, including granting or revoking administrative privileges to any logged in user.
Worse, according to experts, attackers can even block real site administrators by revoking their privileges, and many WordPress sites have only one administrator user.
“Please note that these attacks are only the most important opportunities [in exploiting the vulnerability]. Depending on other plugins installed on the site, the ability to change metadata for articles, comments, and so on can potentially be used for many other exploits, such as cross-site scripting (XSS),” the experts write.
The researchers also found a second problem that allows unauthenticated attackers to create redirects from almost anywhere on the site to any location of their choice. The bug was found in one of the additional Rank Math modules, which, as you might guess, is used to create redirects on WordPress sites.
“This attack can be used to deny access to all existing site content , with the exception of the home page, by redirecting visitors to a malicious resource,” experts say.
Plugin developers have already prepared and released an updated version Rank Math 1.0.42, which fixed both security issues found by the researchers. Since one of the vulnerabilities is critical, users are urged to update as soon as possible.