CVE-2020-11514
📋 TL;DR
CVE-2020-11514 is an unauthenticated privilege escalation vulnerability in the Rank Math SEO plugin for WordPress. It allows remote attackers to modify WordPress metadata, including granting themselves administrative privileges, without requiring any authentication. This affects all WordPress sites running vulnerable versions of the Rank Math plugin.
💻 Affected Systems
- Rank Math SEO WordPress Plugin
📦 What is this software?
Seo by Rankmath
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover: attackers can create admin accounts, modify all content, install backdoors, and potentially compromise the entire server.
Likely Case
Site defacement, SEO spam injection, malware distribution, or credential theft through admin access.
If Mitigated
No impact if plugin is patched or workarounds are properly implemented.
🎯 Exploit Status
Simple HTTP POST request to the vulnerable endpoint; widely exploited in the wild after disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.41 and later
Vendor Advisory: https://rankmath.com/changelog/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Rank Math SEO plugin. 4. Click 'Update Now' if available, or manually update to version 1.0.41+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable REST API endpoint
allBlock access to the vulnerable REST API endpoint via .htaccess or web server configuration
# Add to .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-json/rankmath/v1/updateMeta - [F,L]
</IfModule>
Disable REST API entirely
allCompletely disable WordPress REST API if not needed
# Add to theme's functions.php:
add_filter('rest_authentication_errors', function($result) {
if (!empty($result)) return $result;
if (!is_user_logged_in()) return new WP_Error('rest_not_logged_in', 'You are not currently logged in.', array('status' => 401));
return $result;
});
🧯 If You Can't Patch
- Immediately disable the Rank Math plugin via WordPress admin or by renaming the plugin directory
- Implement web application firewall (WAF) rules to block requests to /wp-json/rankmath/v1/updateMeta
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Rank Math version. If version is 1.0.40.2 or earlier, you are vulnerable.Check Version:
wp plugin list --name=rank-math --field=versionVerify Fix Applied:
After updating, confirm Rank Math version shows 1.0.41 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-json/rankmath/v1/updateMeta from unauthenticated users
- Sudden user privilege changes in WordPress user logs
- New administrator accounts created unexpectedly
Network Indicators:
- Unusual POST requests to WordPress REST API endpoints from external IPs
- Traffic patterns showing privilege escalation attempts
SIEM Query:
http.method:POST AND http.uri:"/wp-json/rankmath/v1/updateMeta" AND NOT user.id:*🔗 References
- https://rankmath.com/changelog/
- https://wordpress.org/plugins/seo-by-rank-math/#developers
- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/
- https://rankmath.com/changelog/
- https://wordpress.org/plugins/seo-by-rank-math/#developers
- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/
