Login

Register

Login

Register

Don’t get locked out of your own website – update this WordPress plugin now! – Naked Security


Researchers at WordFence, a company that provides cybersecurity services for WordPress users, has warned of two security problems in a popular WordPress plugin called Rank Math.

That’s “math” as in “calculations relating to” and “rank” as in “search engine rating”, not “rank math” as in a real stinker of a calculus problem.

The creators of Rank Math, it seems, had neglected to put security checks on some of the remote commands that the plugin supports.

As a result, someone who hadn’t logged in could have triggered two related bugs.

In the first bug, a regular user could have promoted themselves to an administrator without logging in first.

That’s a sneaky sort of bug for a discontented user to have at their disposal to because it means they could acquire admin privileges without leaving anything in the logs that tied the modification directly to them.

That might give them plausible deniability for how they “accidentally” found themselves in the Captain’s chair.

Also, this bug allows a privilege change in general, not just a privilege elevation in particular.

So an attacker without an existing account to promote could demote the site’s real administrator instead, potentially locking them out of their own website altogether.

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


Ads

NATIONAL CYBER SECURITY RADIO

Ads

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW