A critical security vulnerability was discovered in the WordPress SEO plugin RankMath on March 23 that could allow hackers to give WordPress admin privileges to any of the registered users.

RankMath is an SEO plugin that claims to attract more traffic on an installed WordPress website and offers Google search console integration, Keyword optimization, etc. services to its users.

It is currently being used by more than 200,000 website owners and any of these websites could be easily hacked if their RankMath plugin is not updated.

The vulnerable versions of the RankMath SEO plugin is lower than v10.0.41.

Engineers from Defiant’s Wordfence Threat Intelligence team discovered this privileged access vulnerability in an unprotected REST-API endpoint which offers the ability to “update metadata” on posts.

The update metadata function can only be used by admins to update slug on existing posts and add or remove comments metadata. But, the function used in the API endpoint code also allowed for updating metadata for users, leading to this critical vulnerability finding.

By exploiting this vulnerability, hackers can easily grant admin privileges to any registered users and also can revoke the existing user privileges completely from the victim’s WordPress site.

Note that these attacks are only the most critical possibilities. Depending on the other plugins installed on a site, the ability to update post, term, and comment metadata could potentially be used for many other exploits such as Cross-Site Scripting (XSS), says Ram Gall from Wordfence.

According to Gall, the engineers also discovered another vulnerability in the plugin in the update_redirection function, which could be used by hackers to prevent access to all of a site’s existing content, except for the homepage, by making changes in the API-plugin code and redirect visitors to an infected or a malicious site.

Here’s a vulnerability disclosure timeline provided by Wordfence:

March 23, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities.

– Wordfence Threat Intelligence discovers and analyzes vulnerabilities. March 24, 2020 – Initial contact with the plugin’s developer team. Firewall rule released for Wordfence Premium users.

– Initial contact with the plugin’s developer team. Firewall rule released for Wordfence Premium users. March 25, 2020 – Plugin developer confirms the appropriate inbox for handling discussion. Full vulnerability disclosure sent.

– Plugin developer confirms the appropriate inbox for handling discussion. Full vulnerability disclosure sent. March 26, 2020 – Patched version of the plugin released.

– Patched version of the plugin released. April 23, 2020 – Firewall rule becomes available to Wordfence free users.

On 25th March, Defiant’s research team shared the discovery report with RankMath, and a day later, on 26th March, the developers at RankMath issued an update by fixing up loopholes in their existing code.

If you are one of the 200,000 customers of RankMath using their SEO plugin for your WordPress, it is highly recommended that you should update the plugin to the fully patched version 10.0.41

Product Review: This is why Astra Security is a must have security plugin