In the WordPress SEO plugin, called Rank Math, Wordfence investigators found two RCE vulnerability, allowing hackers to hijack nearly 200,000 compromised websites and get remote access.
Rank Math is a WordPress SEO plugin that offers various SEO features such as Setup Wizard, Google Schema Markup, Optimizes Limitless Keywords with 200,000 active users.
The first vulnerability, including the ability to grant or revoke administrative rights, is the most critical that enables attackers to change arbitrary Metadata.
The second weakness allows attackers to forward victims to any website and anywhere on the internet.
One of the SEO features in Rank Math enables users to update Metadata on the post. To use this function, a REST-API endpoint has been registered, which could not be used for permission callback checking.
A “update_metadata” feature that can be seen on the image below can be used to check the current slow posts or to delete or update posting metadata that allows and can be abused by this crucial vulnerability.
Vulnerable REST route
According to WordFence report ” WordPress user permissions are stored in the
usermetatable, which meant that an unauthenticated attacker could grant any registered user administrative privileges and remove the existing admin privilege.
The attacker could lock an administrator out of his website if the site has the single administrative right.
The second limitation that occurs in an on-site redirect module is the functionality that can be used when a REST-API endpoint is registered, which can not again include permission callback to validate the capacity.
“The endpoint called a function,
update_redirection, which could be used to create new redirects or modify existing redirects, with an important limitation”
According to the researchers “The redirect could not be set to an existing file or folder on the server, including the site’s main page. This limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new location”
The attacker would also lock up the existing content on the internet, other than the home page, and redirect all users to the attacker’s malicious website.