Rank Math SEO plugin, with over 2 million users, recently addressed a Stored Cross-Site Scripting vulnerability that allowed attackers to upload malicious scripts and launch attacks.
Rank Math SEO Plugin
Rank Math is a popular SEO plugin installed on over 2 million websites. It boasts a wide range of features, including keyword tracking, Schema.org structured data integration, Google Search Console and Analytics integration, a redirect manager, and other functionalities that eliminate the need for additional plugins for both technical and on-page SEO.
A notable feature appreciated by users is its modular design, enabling users to activate only the necessary features and disable the rest to enhance website performance.
Many users prefer Rank Math over Yoast. A comparison reveals that Rank Math is smaller (61.1k lines of code vs. Yoast’s 97.1k lines) and consumes fewer server resources (+0.35 MB of memory vs. Yoast’s +1.62 MB).
Authenticated Stored Cross-Site Scripting
Wordfence WordPress security researchers identified a vulnerability in the Rank Math SEO plugin, leading to a stored Cross-Site Scripting (XSS) vulnerability.
A stored XSS vulnerability allows attackers to upload malicious scripts, which can lead to browser attacks, session cookie theft, unauthorized website access, and compromising sensitive data.
Insufficient Input Sanitization and Output Escaping
The vulnerability stemmed from insufficient input sanitization and output escaping, common causes of XSS vulnerabilities in areas of plugins that permit user data uploads or inputs.
Sanitizing input data involves filtering out unwanted input types like scripts or HTML, where only text inputs are expected. Output escaping ensures that the website’s output is validated to block malicious scripts from reaching a browser.
Wordfence warned:
“The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user-supplied attributes.
This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
Rank Math’s update changelog transparently acknowledges the changes made in the plugin and the reason for the update. This transparency helps users understand the importance of a given update and make informed decisions regarding the urgency of the update.
The changelog identifies the patched vulnerability:
“Improved: Strengthened the security of the plugin’s HowTo Block to prevent potential exploitation by users with post-edit access. Thanks to Wordfence for revealing it responsibly.”
Further Resources:
- The WordPress Security Guide To Keep Your Site Safe
- WordPress Security: 16 Steps to Secure & Protect Your Site
Featured Image by Shutterstock/Roman Samborskyi
