Rank Math SEO

The changelog for the latest version of the WordPress plugin Rank Math SEO, which has 2+ million installs, suggested that a security vulnerability had been fixed, but didn't credit a discoverer. (It did mention a company that redirects vulnerability reports away from developers and WordPress.) Checking in to that, we found that a minor authenticated persistent cross-site scripting (XSS) vulnerability exploitable through a shortcode had been fixed. Only one change was made in that version, which makes it easy to see what was going on. In the file /includes/frontend/class-shortcodes.php, the following line was changed: echo ' get_contact_classes( $allowed, $args ) . '">'; Escaping through the function esc_attr() was added to that: echo ' get_contact_classes( $allowed, $args ) ) . '">'; The reason for that is that the value of user input, in the form shortcode attribute, $args, is output through the function get_contact_classes( ), without it being sanitized, validated, or escaped: $args shortcode_atts( [ 'show' > 'all', 'class' > '', ], $args, echo ' get_contact_classes( $allowed, $args ) . '">'; private function get_contact_classes( $allowed, $extra_class ) { $classes ; foreach ( $allowed as $elem ) { $classes sanitize_html_class( 'show-' . $elem ); } if ( count( $allowed ) 1 ) { $classes sanitize_html_class( 'show-' . $elem . '-only' ); } return join( ' ', array_filter( $classes ) ); That would allow malicious JavaScript to be output on pages with the shortcode. The escaping added stops that from happening. The risk caused by that is limited since an attacker would need to be able to create a WordPress post and not be able to include JavaScript otherwise, which is only true of two of the four WordPress roles that can create posts. Untrusted individuals usually wouldn't have the ability to create new posts. We checked for any similar issues in the code from other shortcodes provided by the plugin and didn't find any additional issues. Proof of Concept Creating a new post as a user with the Author role, which doesn’t have the unfiltered_html, with the following shortcode will cause an alert box with any available cookies to be shown when hovering over the plugin’s content on the page.

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Rank Math SEO

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability Fixed in Rank Math SEO

Authenticated Settings Reset Vulnerability in Rank Math SEO