Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins
A vulnerability has been found in the WordPress SEO Plugin that allows attackers to give admin privileges to any registered users on sites run by WordPress. This leaves 200,000 sites with active installations vulnerable to attack if left unpatched. The plugin, called Rank math, allows website owners to perform search engine optimization to attract more site traffic.
The plugin also features support for Google Schema Markup, keyword optimization, Google Search Console integration, and Google keyword rank tracking. The vulnerability was uncovered by Defiant’s Wordfence Threat Intelligence team. The flaw was discovered by the team in an unprotected REST-API endpoint. The security team then found that successfully exploiting the bug allowed the attacker to grant or revoke admin privileges for any of the site’s registered users. Defiant also reported that attackers would lock admins out of their sites by revoking these admin privileges.