Flaw in WordPress plug-in turns hackers into admins

News by Rene Millman

Wordfence discovers flaw that could grant or revoke admin rights to any registered user, another allows attacker to control website navigation

Security researchers have discovered bugs in WordPress a plugin, one of which allowed hackers to gain administrator privileges for any registered user.

An unauthenticated attacker could update arbitrary metadata, in doing so could grant or revoke administrative privileges for any registered user on the site, said a blog post by Wordfence. Another flaw allowed an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice.

Rank Math is a plugin used by over 200,000 websites to help owners attract more traffic to their sites through search engine optimisation (SEO). The plugin is easy to set up and supports Google Schema Markup (aka Rich Snippets), keyword optimisation, Google Search Console integration, and Google keyword rank tracking.

The flaw lies in an unprotected REST-API endpoint. The plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking.

The endpoint called a function, update_metadata, which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments, and terms. This endpoint also allowed for updating metadata for users, leading to this critical vulnerability,” researchers said.

Not only that, an attacker could completely revoke an existing administrator’s privileges by sending a similar request with a meta[wp_user_level] parameter and a meta[wp_capabilities] parameter set to empty values.

Since many sites have a single administrator with a user ID of 1, this meant that an attacker could lock an administrator out of their own site,” blog post said.

Developers using REST-API in their plugins were urged to make sure to include a permission_callback on any endpoints they don’t want to be available to the public. "Be aware this also requires that a valid wp_rest nonce be generated and sent with any requests to the protected endpoint,” the blog post added.

Presently, any version of Rank Math lower than 10.0.41 is vulnerable to attack. It is highly recommended that users update their Rank Math SEO plugin to the latest version. Researchers contacted Rank Math on 25 March, and a fix to the flaw was pushed out the next day.

Jake Moore, cyber-security specialist at ESET, told SC Media UK that this is a huge threat to a webmaster, as it is extremely easy for a threat actor to exploit and take advantage of admin privileges with this plugin if left unpatched.

WordPress plugins should always be monitored closely by the owners, and this one should be upgraded immediately,” he said.

It is critical to keep a close eye on all areas of a website and never to feel complacent. Some websites are not looked after in-house, so it is advised to make sure that your website is looked after by someone who is on top of security issues and aware of current threats, as well as monitoring for any updates that become available.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews