WordPress SEO Plugin - Rank Math < 1.0.41 - Redirect Creation via Unprotected REST API Endpoint
The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which failed to include a permission_callback for capability checking. The endpoint called a function, update_redirection, which could be used to create new redirects or modify existing redirects, with an important limitation. The redirect could not be set to an existing file or folder on the server, including the site’s main page. This limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site.
Proof of Concept
curl -X POST --data "redirectionUrl=http://evilsite.com&redirectionSources=<location to redirect from>&hasRedirect=true" http://example.site/wp-json/rankmath/v1/updateRedirection