SEO By RankMath, a popular SEO plugin recently fixed several vulnerabilities. One of the issues fixed allowed a subscriber to reset the plugin settings. Web publishers are encouraged to update their plugin.
Description of SEO By RankMath Vulnerability Fix
The WordPress Vulnerability Database (WPVULNDB) announced the vulnerability in SEO by RankMath in a post.
According to WPVULNDB:
“Allows any authenticated user (with a role as low as subscriber) to reset Settings of the plugin.”
There was also a separate Cross Site Scripting issue that was fixed.
A Cross Site Scripting vulnerability is a relatively common problem that allows an attacker to exploit an interactive part of a site (like a form) and submit code that can (among many things) obtain cookie information as well as upload data or scripts to the site.
RankMath Strengthens Security
The above security issues were fixed in version 1.0.27 of the plugin on June 21, 2019. On June 23rd, RankMath issued another update (18.104.22.168) that further strengthened security.
According to the SEO by RankMath changelog:
“Improved sanitization throughout the plugin”
Sanitization means an extra layer of coding that will stop an unexpected input from breaking a script and allowing an exploit.
For example, if a script expects data with no spaces in it, an input with spaces could in this example break the script. Sanitization is an extra step in the code that anticipates a malevolent input and will close that space to prevent the exploit from happening.
RankMath Responsibly Notifies Users
A changelog is a record of what an update changes and fixes. For every update, a WordPress plugin developer publishes a changelog that a user can read.
It’s important to note that RankMath did the right thing and notified users through their changelog that this update contained a security fix.
Many plugin publishers do not alert users that an update contains a security fix.
Perhaps plugin developers fear harming their brand by acknowledging the existence of a vulnerability. Thus they sneak the fix unannounced, without mentioning it in their changelog.
It may be that some plugin developers hope nobody notices that the plugin contained a vulnerability. In my opinion that is irresponsible. It causes a user to be unaware of the urgency of updating a plugin.
RankMath approached this security update in an honorable and transparent manner. Their changelog accurately notes the security update. That’s a sign of a trusted developer.
Of course, all plugins should be updated as soon as an update is available. Security updates should always be applied right away.