Risk for 2 million WordPress sites


A Rank Math plugin vulnerability affects more than 2 million WordPress websites. The flaw, identified as a Stored Cross-Site Scripting (XSS) vulnerability or CVE-2024-2536, poses a serious risk as it could allow malicious actors to inject and execute harmful scripts, exposing sensitive data to compromises.

Rank Math, a sophisticated plugin for WordPress websites, has long been favored by users looking to streamline their SEO efforts without juggling multiple plugins. To mitigate the flaw, the developers behind the plugin have released security patches to mitigate the issue. vulnerability.

Rank Math plugin vulnerability explained

Vulnerability of the Rank Math plugin
Source: Wordfence

Rank Math plugin vulnerability discovered by researcher, Wordfence security researchers say Ngô Thiên An (ancorn_)was assigned to the management of attributes by the plugin in the HowTo block, widespread in all versions up to and including 1.0.214.

This monitoring of input sanitization and output escaping makes authenticated attackers with contributor-level access or higher capable of implanting arbitrary web scripts. Therefore, these scripts can run every time a user accesses the affected page, potentially compromising user sessions and sensitive data.

“The Rank Math SEO plugin with AI SEO Tools for WordPress is vulnerable to stored cross-site scripting via HowTo blocking attributes in all versions up to and including 1.0.214 due to insufficient input checking and escaping output on user-supplied attributes”, says Word Closure.

What is Stored Cross-Site Scripting (XSS) vulnerability?

Stored XSS vulnerabilities like this allow attackers to upload malicious scripts, leading to browser-based attacks that can result in the theft of session cookies, thereby enabling unauthorized access to websites and exfiltration of critical information.

The root cause of this vulnerability lies in insufficient input checking and output escaping, common pitfalls in plugin development that allow XSS vulnerabilities to manifest, particularly in areas where users are allowed to download or download. to input data.

“This allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will run whenever a user navigates to an injected page,” Wordfence added.

Input sanitization involves filtering unwanted input such as scripts or HTML, ensuring that only expected text entries are processed. Output escaping, on the other hand, checks the website’s output to prevent malicious scripts from reaching the website’s browser.

Fortunately, Rank Math quickly resolved this issue by releasing patches to address the vulnerability. Website administrators are strongly encouraged to update their Rank Math SEO plugin to the latest version without delay to protect the security of their website.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber ​​Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment