6.1

CVE-2020-11515

Exploit

Rank Math SEO <= 1.0.40.2 - Redirect Creation via Unprotected REST API Endpoint

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the attacker to create a new URI with an arbitrary name (e.g., the /exampleredirect URI).
Mögliche Gegenmaßnahme
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings: Update to version 1.0.41, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RankmathSeo SwEditionfree SwPlatformwordpress Version <= 1.0.40.2
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Rank Math SEO – AI SEO Tools to Dominate SEO Rankings
Version *-1.0.40
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.07% 0.79
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 5.8 8.6 4.9
AV:N/AC:M/Au:N/C:P/I:P/A:N
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://rankmath.com/changelog/
Product
Release Notes
https://wordpress.org/plugins/seo-by-rank-math/#developers
Product
https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/80dfc293-a182-4ed5-9127-6ec788312416
Third Party Advisory