Vulnerability Description
The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the attacker to create a new URI with an arbitrary name (e.g., the /exampleredirect URI).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rankmath | Seo | <= 1.0.40.2 |
Related Weaknesses (CWE)
References
- https://rankmath.com/changelog/ProductRelease Notes
- https://wordpress.org/plugins/seo-by-rank-math/#developersProduct
- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-2ExploitThird Party Advisory
- https://rankmath.com/changelog/ProductRelease Notes
- https://wordpress.org/plugins/seo-by-rank-math/#developersProduct
- https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-2ExploitThird Party Advisory
FAQ
What is CVE-2020-11515?
CVE-2020-11515 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection R...
How severe is CVE-2020-11515?
CVE-2020-11515 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11515?
Check the references section above for vendor advisories and patch information. Affected products include: Rankmath Seo.