Security News > 2020 > April > Don’t get locked out of your own website – update this WordPress plugin now!

Don’t get locked out of your own website – update this WordPress plugin now!
2020-04-02 16:24

Researchers at WordFence, a company that provides cybersecurity services for WordPress users, has warned of two security problems in a popular WordPress plugin called Rank Math.

The creators of Rank Math, it seems, had neglected to put security checks on some of the remote commands that the plugin supports.

So an attacker without an existing account to promote could demote the site's real administrator instead, potentially locking them out of their own website altogether.

Because of the redirect bug, an unauthenticated user, such as an attacker on the other side of the world, might be able to access and reconfigure Rank Math's redirect database, thus causing existing web pages to divert visitors elsewhere, apparently even to a completely different website.

Rank Math didn't previously have permission checks on the affected REST endpoints, but they added them quickly, reacting very promptly to the WordFence report and putting out a patch within three days.


News URL

https://nakedsecurity.sophos.com/2020/04/02/dont-get-locked-out-of-your-own-website-update-this-wordpress-plugin-now/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 95 44 18 159
Plugin 2 0 13 1 0 14