Two critical and serious security vulnerabilities in the popular WordPress plugin “All in One” have been discovered, leaving over 3 million websites vulnerable to hijacking attacks.
The security flaws, discovered and reported by Marc Montpas, a security researcher at Automattic, are the critical “Authenticated Privilege Escalation” bug (CVE-2021-25036) and the high severity “Authenticated Authenticated SQL Injection” (CVE-2021-25037).
Over 800,000 vulnerable WordPress sites
The developer of this plugin released a security update to address both All in One bugs on December 7, 2021.
However, according to download statistics for the two weeks since the patch was released, more than 820,000 sites using the plugin have not yet updated their installations and are still exposed to attacks.
What makes these vulnerabilities so dangerous is that in order to successfully exploit the two vulnerabilities, the attacker needs to authenticate but only requires low-level privileges such as Subscriber.
Subscriber is the default user role in WordPress (as well as Contributor, Author, Editor, and Administrator) and is generally enabled to allow registered users to comment on posts published on a WordPress site. It is enabled.
Normally, Subscriber can only edit their own profile besides posting comments, but in this case, CVE-2021-25036 can be exploited to elevate privileges, execute remote code on vulnerable sites, and take over the site completely.
WordPress administrators are requested to update as soon as possible
To exploit CVE-2021-25036 for privilege escalation, it is a simple matter of “changing one letter to uppercase” to bypass all permission checks implemented on sites running unpatched versions of All in One SEO. It can be done.
This is especially worrisome because some of these plugins are very sensitive. For example, aioseo/v1/htaccess can rewrite the .htaccess of a site with arbitrary content.
An attacker can exploit this feature to hide a backdoor in .htaccess or execute malicious code on the server
WordPress administrators who are using All In One SEO versions affected by these serious vulnerabilities (from 4.0.0 to 4.1.5.2) and have not yet installed the 4.1.5.3 patch are advised to do so immediately.
It is recommended that you check the version of the All In One SEO plugin your site is using and update it as soon as possible if it is within the affected range.
Comments