One of the two security flaws is a privilege escalation vulnerability with a CVSS score of 10.0. This critical flaw existed due to an unprotected REST API endpoint in the update metadata feature. Regarding how the exploit would work, the researcher stated,
WordPress user permissions are stored in theFurthermore, exploiting the same vulnerability would even allow the attacker to lockout an administrator from their site.usermetatable, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a$_POSTrequest towp-json/rankmath/v1/updateMeta, with anobjectIDparameter set to the User ID to be modified, anobjectTypeparameter set touser, ameta[wp_user_level]parameter set to10, and ameta[wp_capabilities][administrator]parameter set to1.
The second vulnerability appeared due to unprotected REST API endpoint linked with a module for creating site redirects. Explaining this high-severity flaw, the blog reads,
To perform this attack, an unauthenticated attacker could send a$_POSTrequest torankmath/v1/updateRedirectionwith aredirectionUrlparameter set to the location they wanted the redirect to go to, aredirectionSourcesparameter set to the location to redirect from, and ahasRedirectparameter set totrue. This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site.
Eventually, after three days, they rolled out the WordPress SEO Plugin – Rank Math version 10.0.41 with the fixes. Hence, users of this plugin must ensure updating their sites with the patched version to keep their sites safe.
Let us know your thoughts in the comments.