CVE-2020-11515: 
WordPress vulnerability analysis and mitigation

The WordPress SEO Plugin - Rank Math versions below 1.0.41 contained a vulnerability in its redirect creation functionality via an unprotected REST API endpoint. The vulnerability was discovered and disclosed on March 31, 2020, affecting over 200,000 WordPress sites at the time (Wordfence Blog).

The vulnerability stemmed from a REST-API endpoint 'rankmath/v1/updateRedirection' that lacked a permission_callback for capability checking. The endpoint called an update_redirection function that could be used to create new redirects or modify existing ones. While the vulnerability had some limitations, such as not being able to redirect to existing files or folders on the server including the site's main page, it still allowed attackers to create redirects from most locations on the site. The CVSS score was rated at 7.4 (High) with the vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H (Wordfence Blog).

An attacker could exploit this vulnerability to create redirects from most locations on the site, including new locations or any existing post or page except the homepage. This could potentially lead to users being redirected to malicious websites, though the impact was somewhat limited by the inability to redirect the site's main page (WPScan).

The vulnerability was patched in version 1.0.41 of the Rank Math SEO plugin. Users were advised to update to this version or later to protect their websites (Wordfence Blog).