Pierluigi Paganini March 31, 2020

A critical privilege escalation flaw in the WordPress SEO Plugin – Rank Math plugin can allow registered users to gain administrator privileges.

Defiant’s Wordfence Threat Intelligence team discovered a critical privilege escalation vulnerability in the WordPress SEO Plugin – Rank Math plugin that could allow attackers to give administrator privileges to any registered user.

Rank Math is a WordPress plugin that helps website owners to attract more traffic to their sites through search engine optimization (SEO).

The WordPress plugin is currently installed on more than 200,000 sites.

Rank Math practically configures itself using a setup Wizard that sets up SEO for WordPress perfectly.

The setup wizard features support for Google Schema Markup (aka Rich Snippets), keyword optimization, Google Search Console integration, Google keyword rank tracking, and more

The issue resides in an unprotected REST-API endpoint, the issue could be exploited by an unauthenticated attacker to update arbitrary metadata, which ones that could grant or revoke administrative privileges for any registered user.

“The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site.” reads the analysis published by WordFence.

Attackers could also exploit the issue to revoke administrator privileges to admins and lockout them on their sites.

“Alternatively, an attacker could completely revoke an existing administrator’s privileges by sending a similar request with a meta[wp_user_level] parameter and a meta[wp_capabilities] parameter set to empty values.” continues the post. “Since many sites have a single administrator with a user ID of 1, this meant that an attacker could lock an administrator out of their own site. Note that these attacks are only the most critical possibilities.”

Experts also spotted a second flaw that made it possible for unauthenticated attackers to create redirects from almost any location on the site to any destination of their choice.

The flaw resides in one of the optional plugin modules that would help users to create redirects on their WordPress websites.

“In order to perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true.” continues the post. “This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site.”

Below the disclosure timeline:

March 23, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities.
March 24, 2020– Initial contact with the plugin’s developer team. Firewall rule released for Wordfence Premium users.
March 25, 2020 – Plugin developer confirms appropriate inbox for handling discussion. Full vulnerability disclosure sent.
March 26, 2020 – Patched version of plugin released.
April 23, 2020 – Firewall rule becomes available to Wordfence free users.

Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase.

A few weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:

• Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
• Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
• Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
• Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
• Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.
• March 2020 – The WordPress plugin ‘ThemeREX Addons’ is affected by a critical vulnerability that could allow remote attackers to execute arbitrary code.
• March 2020 – Flaws in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups of 100K+ websites.

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

Pierluigi Paganini

(SecurityAffairs – WordPress, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]