Rank Math SEO plugin with over 2+ million users recently patched a Stored Cross-Site Scripting vulnerability that makes it possible for attackers to upload malicious scripts and launch attacks.

Rank Math SEO Plugin

Rank Math is a popular SEO plugin that’s installed in over 2 million websites. It has an incredible array of functions that ranges from keyword tracking, Schema.org structured data integration, Google Search Console and Analytics integration, a redirect manager and other features that make it unnecessary to use other plugins for technical or on-page SEO.

A popular feature that users appreciate is that it’s a modular plugin which means users can choose which features they require and turn off those that they don’t which can help make a website perform even faster.

Many turn to Rank Math as an alternative to Yoast. A comparison between the two shows that Rank Math is smaller (61.1k lines of code versus Yoast’s 97.1k lines) and uses less server resources (+0.35 MB of memory versus Yoast’s +1.62 MB).

Authenticated Stored Cross-Site Scripting

Wordfence WordPress security researchers published an advisory of a vulnerability in Rank Math SEO plugin that can lead to a stored Cross Site Scripting (XSS) vulnerability.

A stored XSS vulnerability allows an attacker to upload malicious scripts and attack browsers which can result in stealing a session cookies which enables unauthorized website access and compromising sensitive data.

Insufficient Input Sanitization And Output Escaping

The source of the vulnerability is due to insufficient input sanitization and output escaping. These are common reasons for an XSS vulnerabilities that occur in areas of plugins that allow users to upload or input data.

Sanitizing input data is like filtering out unwanted type of input like scripts or HTML where only text inputs are expected. Output escaping is a process that validates what’s output by the website to block unwanted output like malicious scripts from reaching a website browser.

Wordfence warned:

“The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes.

This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Rank Math’s update changelog responsibly acknowledges what was changed in their plugin and the reason for the update. This transparency makes it possible for plugin users to understand the importance of a given update and to make an informed decision as to the urgency of the updated.

The changelog identifies the patched vulnerability:

“Improved: Strengthened the security of the plugin’s HowTo Block to prevent potential exploitation by users with post edit access. Thanks to [WordFence]
(https://www.wordfence.com/) for revealing it responsibly”

Read the official Wordfence advisory:

Rank Math SEO with AI SEO Tools <= 1.0.214 – Authenticated(Contributor+) Stored Cross-Site Scripting via HowTo block attributes

See also:

Featured Image by Shutterstock/Roman Samborskyi