2,00,000 WORDPRESS WEBSITES ARE AT RISK WITH SEO PLUGIN

An open-source content management system on which more than 85% of the websites are built,  WordPress , observes 2 critical  vulnerabilities . According the researchers from Wordfence, the first vulnerability even allows an unauthenticated attacker to change the administrative rights for the registered users on a particular website and the second vulnerability helps the hacker’s intention to launch attack i.e. it allows an unauthenticated attacker to redirect any website to the other destination website of their choice . The vulnerabilities are observed in the WordPress SEO Plugin – Rank Math which has over 2,00,000 installations . This plugin helps in SEO activities in order to improve and maintain site’s visibility on the internet . But the interesting fact is , the vulnerability which is discovered lies in the REST API endpoint contain in this plugin. The REST word itself defines certain rules and instructions on how the API should be programmed so that the program which is using a particular API can transfer information securely but here the developer seems not to pay attention on that.

VULNERABILTIES IN REST API

The two vulnerabilities discovered in WordPress SEO Plugin – Rank Math plugin helps in SEO activities but also include the functionality to update the metadata i.e. data of data like when is the particular post is published , who wrote it etc. on a particular website’s post . This functionality thus allows flexibility to the owner of the website but plugin’s developer has made some flaws in it . To do this functionality , the plugin registered a REST API endpoint rankmath/v1/updateMeta which updates the meta data on the post but API’s code failed to include permission_callback which is necessary to grant administrative rights to a user . Thus this function is absent in the code , any unauthenticated attacker could grant or revoke the permissions for the registered users on that website . The vulnerable code for REST route  is shown below :

 register_rest_route(
    $this->namespace,
    '/updateMeta',
    [
        'methods'  => WP_REST_Server::CREATABLE,
        'callback' => [ $this, 'update_metadata' ],
        'args'     => $this->get_update_metadata_args(),
    ]
);

As you can see the methods ( POST or GET ) of transferring data , arguments which has to be updated  and callback all are well structured and defined but the programmer has not include any statement or function to check the administrative rights for the user , this makes REST structure critically vulnerable . The  update_metadata function which the REST directs to is programmed as :

public function update_metadata( WP_REST_Request $request ) {
    $object_id   = $request->get_param( 'objectID' );
    $object_type = $request->get_param( 'objectType' );
    $meta        = $request->get_param( 'meta' );
    $new_slug = true;
    if ( isset( $meta['permalink'] ) && ! empty( $meta['permalink'] ) ) {
        $post     = get_post( $object_id );
        $new_slug = wp_unique_post_slug( $meta['permalink'], $post->ID, $post->post_status, $post->post_type, $post->post_parent );
        wp_update_post(
            [
                'ID'        => $object_id,
                'post_name' => $new_slug,
            ]
        );
        unset( $meta['permalink'] );
    }
    $sanitizer = Sanitize::get();
    foreach ( $meta as $meta_key => $meta_value ) {
        if ( empty( $meta_value ) ) {
            delete_metadata( $object_type, $object_id, $meta_key );
            continue;
        }
        update_metadata( $object_type, $object_id, $meta_key, $sanitizer->sanitize( $meta_key, $meta_value ) );
    }
In order to exploit this vulnerability an attacker sends
    return $new_slug;
}

The usermeta table in the above given code stores the user’s permission which can be altered by an unauthorized attacker or foreign user through in which the attacker sends a POST request to the  wp-json/rankmath/v1/updateMeta  with:

To grant administrative priveledges :

object ID set as UserID of the user to be modififed , parameters objectType set to user , meta[wp_user_level] to 10 and  meta[wp_capabilities][administrator] to 1

To revoke administrative priveledges :

object ID set as UserID of the user to be modififed , parameters objectType set to user , meta[wp_user_level] to NULL and  meta[wp_capabilities][administrator] to NULL .

Attackers with some more capabilities or skills can also cause more damage to the database of the website by performing Cross site scripting and SQL Injection attacks with these critical vulnerability .

Another critical vulnerability which is discovered in the same plugin can do the same level of damage to the website . As this plugin offers more flexibility thus this flexibility needs to maintain with complex  optional modules . One of the feature of the module contained in the plugin is to create redirects on a site , This plugin has an REST-API  , rankmath/v1/updateRedirection , which again lacks of the function permission_callback for capability checking . The structure for the REST is programmed as :

register_rest_route(
    $this->namespace,
    '/updateRedirection',
    [
        'methods'  => WP_REST_Server::CREATABLE,
        'callback' => [ $this, 'update_redirection' ],
    ]
);

As you can again see, there is not any function or statement to check the administrative capabilities of the user , thus the user can cause the damage to the website by changing the administrative rights for the users . The code for update_redirection API looks like :

public function update_redirection( WP_REST_Request $request ) {
    $cmb     = new \stdClass;
    $metabox = new \RankMath\Redirections\Metabox;
    $cmb->object_id    = $request->get_param( 'objectID' );
    $cmb->data_to_save = [
        'has_redirect'            => $request->get_param( 'hasRedirect' ),
        'redirection_id'          => $request->get_param( 'redirectionID' ),
        'redirection_url_to'      => $request->get_param( 'redirectionUrl' ),
        'redirection_sources'     => \str_replace( home_url( '/' ), '', $request->get_param( 'redirectionSources' ) ),
        'redirection_header_code' => $request->get_param( 'redirectionType' ) ? $request->get_param( 'redirectionType' ) : 301,
    ];
    if ( false === $request->get_param( 'hasRedirect' ) ) {
        unset( $cmb->data_to_save['redirection_url_to'] );
    }
    if ( empty( $request->get_param( 'redirectionID' ) ) ) {
        unset( $cmb->data_to_save['redirection_id'] );
    }
    return $metabox->save_advanced_meta( $cmb );
}

In order to manage this vulnerability , the attacker can with his potentials and skills can able to redirect the user to any other website where he wants to but he cannot redirects the user to any other file or folder of the website including the index page of the website thus limiting the attacking radar for the attacker . An attacker can do so by sending $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true . Thus allowing an attacker to launch attacks.

CONCLUSION

  • Developer are advised to include permission_callback function if they are using REST API .
  • As these vulnerabilities are patched in the new version i.e in the 10.0.41 version of WordPress , so users are advised to please download the latest version for the same immediately.
  • Update WordPress SEO Plugin soon.