WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint



Description
The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which  failed to include a permission_callback for capability checking. The endpoint called a function, update_redirection, which could be used to create new redirects or modify existing redirects, with an important limitation. The redirect could not be set to an existing file or folder on the server, including the site’s main page. This limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site. 
Proof of Concept
curl -X POST --data "redirectionUrl=http://evilsite.com&redirectionSources=<location to redirect from>&hasRedirect=true" http://example.site/wp-json/rankmath/v1/updateRedirection

Affects Plugin

fixed in version 1.0.41

References

CVE 2020-11515
URL https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/

Classification

Type REDIRECT
CWE CWE-601

Miscellaneous

Original Researcher Ramuel Gall (Wordfence)
Submitter Ramuel Gall
Views 1137
Verified No
WPVDB ID 10158

Timeline

Publicly Published 2020-03-31 (about 2 months ago)
Added 2020-03-31 (about 2 months ago)
Last Updated 2020-04-09 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin