Vulnerability Details : CVE-2020-11515
Potential exploit
The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs (that redirect to an external web site) via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the attacker to create a new URI with an arbitrary name (e.g., the /exampleredirect URI).
Vulnerability category: Open redirect
Products affected by CVE-2020-11515
- cpe:2.3:a:rankmath:seo:*:*:*:*:free:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11515
0.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11515
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2020-11515
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11515
-
https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/
Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO PluginExploit;Third Party Advisory
-
https://wordpress.org/plugins/seo-by-rank-math/#developers
WordPress SEO Plugin – Rank Math – WordPress plugin | WordPress.orgProduct
-
https://rankmath.com/changelog/
The Official Rank Math SEO Changelog & Release NotesProduct;Release Notes
Jump to