New WordPress SEO plugin vulnerability could allow unauthenticated attackers to give guest accounts admin access.

Wordfence released an advisory today detailing two new vulnerabilities, but they do no have assigned CVEs at this time. The most critical vulnerability when exploited allows an unauthenticated remote attacker to change the permission levels of registered users. The Second vulnerability would allow an attacker to redirect traffic away from the affected site, causing a site to cease function.

The critical vulnerability is largely dangerous for site owners that allow guest account registration, as that attacker would then register a new account, and change the user permissions to a WordPress admin. The redirect vulnerability could be used to cause a full denial of service to an affected site.

Users of the WordPress SEO plugin are encouraged to update to version 10.0.41 to fix this flaw.

Tenable does not have direct vulnerability detection plugins for these vulnerabilities, but users can use our WordPress Detection Plugin and the WordPress Outdated Plugin Detection to identify WordPress sites that require updates.