SB2020040606 - Multiple vulnerabilities in WordPress SEO Plugin – Rank Math

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-11514)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the affected plugin registers the "rankmath/v1/updateMeta" REST-API endpoint, which fails to include a "permission_callback" used for capability checking. A remote attacker can send a specially crafted request and gain administrator privileges on the target system.

2) Open redirect (CVE-ID: CVE-2020-11515)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in the "rankmath/v1/updateRedirection" REST-API endpoint in "update_redirection" function. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain..

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Remediation

Install update from vendor's website.

References

• https://wpvulndb.com/vulnerabilities/10157/
• https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/