WordPress Plugin Bug Lets Hackers Turn Users Into Admins

WordPress Plugin Bug Lets Hackers Turn Users Into Admins

Web Development and Website Design services by CleverOgre

A crucial privilege escalation vulnerability found in the WordPress SEO plugin – if left unpatched, the Rank Math plugin will allow attackers to grant privileges to any registered user on one of the 200,000 sites with active installs.

Rank Math is a WordPress plugin described by its creators as ‘WordPress SEO’s Swiss Army Knife’ designed to help website owners draw more traffic to their pages through search engine optimisation (SEO).

The plugin comes with a configuration wizard that configures it through a step-by-step installation process and supports Google Schema Markup (aka Rich Snippets), keyword optimization, integration with the Google Search Console, Google Keyword rank monitoring, and much more.

Users can be a WordPress Admin

The Rank Math privilege escalation vulnerability has been identified in an insecure REST-API endpoint by Defiant’s Wordfence Threat Intelligence team.

According to Defiant QA engineer Ram Gall, the successful exploitation of this bug “allowed an unauthenticated attacker to update arbitrary metadata, including the ability to grant or revoke administrative privileges for any registered user on the site.”

To make matters worse, attackers might even lock administrators from their sites by revoking their administrator privileges as many WordPress sites have a single admin account.

“Note that these attacks are only the most critical possibilities,” Gall explains. “Depending on the other plugins installed on a site, the ability to update post, term, and comment metadata could potentially be used for many other exploits such as Cross-Site Scripting (XSS).”

Vulnerable REST route
Vulnerable REST route (Defiant)

WordPress Sites Being Targeted

Attackers have been attempting to take over WordPress web pages since the beginning of 2020 by leveraging recently fixed or zero-day bugs in plugins built on hundreds of thousands of pages.

Attacks on tens of thousands of WordPress sites abussing critical bugs like a zero-day in multiple plugins were found by researchers in late February while being used which could have led to the planting of backdoors and the development of rogue admin account.

Posted on