Lucene search
Ramuel GallWPEX-ID:D2DDD248-52A0-4C91-92E8-BEB60D8F78CDHistoryMar 31, 2020 - 12:00 a.m.
WordPress SEO Plugin - Rank Math < 1.0.41 - Privilege Escalation via Unprotected REST API Endpoint
2020-03-3100:00:00
Ramuel Gall
45
0.011 Low
EPSS
Percentile
84.3%
This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking. The endpoint called a function, update_metadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments, and terms. This endpoint also allowed for updating metadata for users. WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant or revoke administrative privileges for any registered user.
curl -X POST --data "objectID=<user ID to edit>&objectType=user&meta[wp_user_level]=10&meta[wp_capabilities][administrator]=1" http://example.site/wp-json/rankmath/v1/updateMetaRelated
wpvulndb
wpvulndb
prion
prion
Code injection
2020-04-07 17:15:00
nvd
nvd
CVE-2020-11514
2020-04-07 17:15:13
cve
cve
CVE-2020-11514
2020-04-07 17:15:13
cvelist
cvelist
CVE-2020-11514
2020-04-07 16:50:15
openvas
openvas
WordPress Rank Math SEO Plugin < 1.0.41 Multiple REST API Vulnerabilities
2020-04-02 00:00:00