Friday, January 24, 2025
HomeInternetCritical RCE Bug in WordPress Plugin Let Hackers Gain Admin Access on...

Critical RCE Bug in WordPress Plugin Let Hackers Gain Admin Access on 200,000 Websites

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Wordfence uncovered two RCE vulnerabilities in WordPress SEO plugin called Rank Math let hackers hijack nearly 200,000 vulnerable Websites and gain remote access.

Rank Math is an SEO plugin for WordPress and it gives various SEO features such as Setup Wizard, Google Schema Markup, Optimizes Unlimited Keywords with 200,000 active installations.

The first vulnerability is the most critical one that allows attackers to update arbitrary metadata, including the ability to grant or revoke administrative privileges.

The second vulnerability lets attackers redirect the victims to any website for their choice and any location on the site.

Rank Math’s one of the SEO features allow users to update Metadata on the post. To use this feature, plugin registered a REST-API endpoint that failed to include a permission_callback used for capability checking.

A function called “update_metadata” which you can see in the below image is used to update the slug existing posts or could be used to delete or update metadata for posts which enable this critical vulnerability and it can be exploited

 WordPress Plugin
Vulnerable REST route

According to WordFence report ” WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant any registered user administrative privileges and remove the existing admin privilege.

If the site has the single administrative right, then the attacker could lock an administrator out of their own site.

The second vulnerability existing in a module that can be used to create redirects on a site and the feature can be used by registered a REST-API endpoint, which is again failed to include a permission_callback for capability checking.

“The endpoint called a function, update_redirection, which could be used to create new redirects or modify existing redirects, with an important limitation”

According to the researchers “The redirect could not be set to an existing file or folder on the server, including the site’s main page. This limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new location”

Also attacker will lock the existing content access in the site except the home page and redirect the visitors to the malicious website that hosted by the attacker.

Also Read: WPScan – Penetration Testing Tool to Find The Security Vulnerabilities in Your WordPress Websites

You can share your thoughts about the article via  Twitter,  Facebook and Linkedin page also get the Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Android Kisok Tablets Vulnerability Let Attackers Control AC & Lights

A startling security flaw found in Android-based kiosk tablets at luxury hotels has exposed...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Is this Website Safe: How to Check Website Safety – 2025

is this website safe? In this digital world, Check a website is safe is...

AeroNet Wireless Launches 10Gbps Internet Plan: A Landmark Moment in Puerto Rico’s Telecommunications Industry

The telecom company AeroNet Wireless announced the launch of its new 10Gbps speed Internet...

10 Cybersecurity Threats in 2024 and How to Protect Yourself

Cybersecurity Threats deal with emerging dangers and include protecting and preventing means against hacker...