Critical WordPress Plugin Bug Can Lock Admins Out of Websites

A pair of security vulnerabilities in the WordPress search engine optimization (SEO) plugin, known as Rank Math, could allow remote cybercriminals to elevate privileges and install malicious redirects onto a target site, according to researchers. It’s a WordPress plugin with more than 200,000 installations.

According to researchers with Wordfence, one of the flaws is critical (10 out of 10 on the CVSSv3 vulnerability severity scale). It could allow an unauthenticated attacker to update arbitrary metadata. This can be abused to grant or revoke administrative privileges for any registered user on the site.

The second vulnerability is characterized as high-severity (7.4 on the severity scale) and could enable an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice.

Wordfence disclosed the bugs to the developer of the add-on on March 24 (its full name is “WordPress SEO Plugin – Rank Math”) – and CVE tracking numbers are forthcoming, researchers said, in an analysis released Tuesday. A patch is now available in the latest version, 1.0.41.1, so Web administrators should update their sites.

Critical Metadata Flaw

Rank Math allows users to update the metadata on website posts – which is where the bug lies, according to a technical analysis published on Tuesday by Wordfence.

The plugin registers a REST-API endpoint, rankmath/v1/updateMeta, the firm explained in its breakdown. This calls a function called “update_metadata,” which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments and terms. This endpoint also allows for updating metadata for users.

The issue is that in non-patched versions, the endpoint fails to include a permissions check on users making changes.

“WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a $_POST request to wp-json/rankmath/v1/updateMeta, with an objectID parameter set to the User ID to be modified, an objectType parameter set to user, a meta[wp_user_level] parameter set to 10, and a meta[wp_capabilities][administrator] parameter set to 1,” the analysis noted.

A nefarious type could also completely revoke an existing administrator’s privileges by sending a similar request with a meta[wp_user_level] parameter and a meta[wp_capabilities] parameter set to empty values, the researchers added, effectively locking administrators out of their own sites.

“Note that these attacks are only the most critical possibilities. Depending on the other plugins installed on a site, the ability to update post, term and comment metadata could potentially be used for many other exploits such as cross-site scripting (XSS),” the researchers commented.

Malicious Redirect Bonanza

The Rank Math plugin also comes with an optional module that can be used to create redirects on a site. An administrator might do this to direct visitors away from pages under construction, for example.

In order to add this feature, the plugin registers a REST-API endpoint for this too, called “rankmath/v1/updateRedirection.” And, like the other vulnerability, this endpoint fails to execute a permissions check, according to Wordfence – which means that an attacker could easily create new redirects or modify existing redirects. As such, the attack could essentially be used to prevent access to almost all of a site’s existing content, according to the analysis, by simply redirecting visitors to a malicious site.

“In order to perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true,” Wordfence researchers wrote.

There is, however, a caveat that accounts for the lower-severity rating of the bug: “The redirect could not be set to an existing file or folder on the server, including the site’s main page,” according to the analysis. “This limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site.”

Web admins can mitigate the issues by building in a “permission_callback” on any REST-API endpoints, or by updating to the latest version of the plug-in.

WordPress plugins continue to make headlines as weak links that can lead to website compromises. For instance, in March, a critical vulnerability in a WordPress plugin known as “ThemeREX Addons” was found that could open the door for remote code execution in 44,000 websites.

Also in March, two vulnerabilities – including a high-severity flaw – were patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup – potentially opening up more than 100,000 websites to takeover.

In February, popular WordPress plugin Duplicator, which has more than 1 million active installations, was discovered to have an unauthenticated arbitrary file download vulnerability that was being attacked. And, earlier that month, a critical flaw in a popular WordPress plugin that helps make websites compliant with the General Data Protection Regulation (GDPR) was disclosed; it could enable attackers to modify content or inject malicious JavaScript code into victim websites. It affected 700,000 sites.

Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join_Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar. _