cbcvebase.
CVE-2020-11514
published 2020-04-07

CVE-2020-11514: The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.11%
94.7th percentile
The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to update arbitrary WordPress metadata, including the ability to escalate or revoke administrative privileges for existing users via the unsecured rankmath/v1/updateMeta REST API endpoint.

Affected

1 ranges
VendorProductVersion rangeFixed in
rankmathseo<= 1.0.40.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/rankmath/v1/updateMeta
path/wp-content/plugins/seo-by-rank-math/readme.txt
path/wp-content/plugins/seo-by-rank-math/
commandPOST /wp-json/rankmath/v1/updateMeta HTTP/1.1
  • Detect unauthenticated POST requests to the /wp-json/rankmath/v1/updateMeta endpoint; no authentication headers are required, making any such request from an external IP suspicious.
  • Alert on POST request bodies to /wp-json/rankmath/v1/updateMeta containing the 'rank_math_capabilities' meta key, which is the mechanism used to escalate or revoke WordPress user privileges.
  • A JSON response body containing literal 'true' with HTTP 200 and Content-Type application/json from /wp-json/rankmath/v1/updateMeta indicates successful exploitation.
  • Presence of /wp-content/plugins/seo-by-rank-math/readme.txt returning HTTP 200 and body containing 'Rank Math' confirms the vulnerable plugin is installed and active on the target.
  • ·The vulnerability affects Rank Math SEO plugin versions up to and including 1.0.40.2; version 1.0.41 and later are patched. Ensure version checks are scoped accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.