A critical vulnerability has been found in the Rank Math SEO plugin, allowing an attacker to gain administrative access. Luckily, this was fixed a day after Rank Math was notified of the issue.
In context of a WordPress site, privilege escalation is a reference to a situation like a coding bug, creating an opportunity for an attacker to gain administrator level privileges.
With the Rank Math exploit, a registered user could take the exploit and use it to gain administrator privileges.
After the attacker gained said privileges, they would be able to do a slew of things, such as deleting an administrator and creating a new.
According to the WordPress Vulnerability Database:
“This plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking.”
The permission_callback verifies that the user performing the action has the permission to perform the action.
This is how the official WordPress developer documentation describes the importance of the permission_callback:
“This is a function that checks if the user can perform the action (reading, updating, etc) before the real callback is called. This allows the API to tell the client what actions they can perform on a given URL without needing to attempt the request first.”
What that appears to say is that the permission_callback that checks if the user has the correct permission is supposed to be there but it was missing.
WordFence refers to the lack of a permission_callback a failure:
“In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking.
…The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site.
In order to add this feature, the plugin registered a REST-API endpoint… which again failed to include a permission_callback for capability checking.”
The WordPress Vulnerability Database stated that the failure to add a permission_callback could allow an attacker to delete an administrator or grant administrator privileges to a registered user.
“This endpoint also allowed for updating metadata for users. WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant or revoke administrative privileges for any registered user.”
Any version lower than 10.0.41 of Rank Math is vulnerable to an attack, and is highly recommended that you update you Rank Math SEO plugin to the latest version.
Once Rank Math discovered that this exploit existed on March 25, they fixed the vulnerability the very next day.
Rank Math notified users in a transparent manner. Their changelog contains a note about the fixed issue.
This is what the official Rank Math changelog describes the fix:
“FIXED: A couple of REST API security issues reported by Wordfence team”