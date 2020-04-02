Hundreds of thousands of administrators around the world faced the threat of losing their sites
Vulnerability in the SEO plugin Rank Math resource WordPress allows you to make any registered user an administrator of the site, and the official administrators demoted. Fixes already released.
“I’m in charge here”
A critical vulnerability in one of the most popular SEO plugins for WordPress – the popular content management system website open-source – allows you to turn any registered user in the site administrator. Threatened about 200 thousand resources.
The reporting plugin, Rank Math the developers call the “Swiss knife of search engine optimization WordPress”. The plugin is provided with step-by-step setup wizard and supports a number of SEO technologies and tools – Google Schema Markup (Rich Snippets), optimization of keywords, integration with Google Search Console, and more.
The experts of Defiant Wordfence Threat Intelligence found in the plugin bug that allows you to elevate privileges, which allows “an unauthenticated attacker to spoof arbitrary metadata, which leads, in particular, to the possibility to grant or revoke administrative privileges to any registered user on the site.”
In addition, attackers have the ability to revoke admins their privileges. If the administrator one, it can lead to blocking of the site itself.
In a Defiant note that these scenarios – the most critical. Bug gives attackers more freedom of action, especially when there are other vulnerable components on the website.
Do not go there, go here
In addition, in one of the optional plugins Rank Math found another vulnerability that allows unauthorized users to create redirects in any area of the site to jump to any other resource. In fact, it might mean locking the entire contents of the site except the main page, or to automatically transfer users to any malicious site.
“WordPress has become a subject of intense interest on the part of malefactors, and because of its popularity and because of the abundance of vulnerabilities that are regularly discovered in various plugins to it, – says Dmitry Kiryukhin, an expert on information security company SEC Consult Services. – Due to the critical nature of some of them, sites on WordPress since the beginning of 2020 are subject to intensive attacks, so that the identification of new threat vulnerabilities is very inappropriate. It remains to hope that the administrators will not proceed with the update installation, otherwise, they have all prospects to lose their playgrounds.”
Update for Rank Math is already available on the website of the developer. It fixes both vulnerabilities.