Rank Math’s Critical Escalation Vulnerability
The WordPress Rank Math plugin assists website owners with Search Engine Optimization (SEO), thus attracting more traffic to their website. It helps users write SEO-friendly content that ranks higher in search engines. The Threat Intelligence team at Defiant’s Wordfence, however, found a critical escalation vulnerability in the plugin. The flaw discovered in the Rank Math plugin allows any registered user on a website to gain administrative privileges. Thus, unauthenticated attackers who manage to get access to a website using the plugin could give themselves administrator access. With administrative privileges, attackers can do what they like on the compromised website, including deleting the administrator account and creating their own. The attackers could then also lock all users out of the website.
What Caused the Vulnerability
As the Wordfence report explains, the cause of the vulnerability was in the code. To assist with Search Engine Optimization, the Rank Math plugin comes with several features. One of these features allows users to update the metadata on posts. To provide this feature, the plugin developers leveraged the REST-API but did not include a permission_callback in their code. The permission_callback verifies whether a user performing an action has the permission to do so. Ram Gall, the Wordfence report’s author, explains that successfully exploiting this flaw in the plugin would have “…allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site.”
The Second Vulnerability
The second vulnerability was found in Rank Math’s optional redirect module, which helps users to create redirects on WordPress websites. The vulnerability in the redirect module would have allowed unauthenticated attackers “…to create redirects from any location on the site to any destination of their choice,” explains Gall. Furthermore, “This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site,” says Gall. This second vulnerability was also caused by a missing permission_callback.
How to Fix the Rank Math Vulnerabilities
Both the above-mentioned vulnerabilities have been patched in the latest version of the Rank Math plugin, i.e. version 10.0.41. The Wordfence team advise all website owners with active installations of Rank Math to upgrade to the latest version immediately. All versions of Rank Math below 10.0.41 are vulnerable to attack. Finally, Wordfence praised Rank Math developers’ quick response and handling of their disclosure. The developers provided an updated version of the plugin that fixed the vulnerabilities the day after Wordfence’s disclosure.
