In the CEO plugin for WordPress Rank mathinstalled more than 200,000 times has been critical vulnerability detectedrelated to privilege escalation. As a result of its operation, an attacker can grant administrator privileges to any registered user of the resource.
The problem was discovered by Defiant Wordfence Threat Intelligence specialists in the unsecured endpoint REST-API. Exploiting the error allows an unauthenticated attacker to modify arbitrary metadata, including granting or revoking administrative privileges for any registered user.
Even worse, according to experts, attackers can even block real site administrators by canceling their privileges, and many WordPress sites have only one admin user.
“Please note that these attacks are only the most important capabilities (when exploiting a vulnerability). Depending on other plugins installed on the site, the ability to change metadata for materials, comments, and so on can potentially be used for many other exploits, such as cross-site scripting (XSS), ”experts write.
The researchers also found a second problem that allows unauthenticated attackers to create redirects from almost anywhere on the site to any place of their choice. The bug was found in one of the additional modules Rank Math, which, as you might guess, is used to create redirects on WordPress sites.
“This attack can be used to ban access to all existing site content, with the exception of the home page, by redirecting visitors to a malicious resource,” experts say.
Plugin developers have already prepared and released an updated version Rank Math 1.0.42where both security issues found by the researchers were fixed. Since one of the vulnerabilities is critical, users are encouraged to upgrade as soon as possible.