On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. The second vulnerability allowed an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice.
We reached out to the plugin’s developer the next day, on March 24, 2020, and received a response within 24 hours. We privately disclosed the full vulnerability details on March 25, 2020, and the plugin developer released a patch on March 26, 2020. We strongly recommend updating to the latest version, 22.214.171.124, as soon as possible as this is considered a critical security issue.
Wordfence Premium customers received a new firewall rule on