Two critical and high severity security vulnerabilities in the ever popular “All in One” WordPress SEO plugin have exposed more than 3 million websites to takeover attacks.
The security vulnerabilities discovered and reported by Marc Montpas, security researcher at Automattic, are a critical authenticated privilege escalation bug (CVE-2021-25036) and high severity authenticated SQL injection (CVE-2021-25037).
Over 800,000 vulnerable WordPress sites
The plugin developer has released a security update to address both All in one bugs on December 7, 2021.
However, more than 820,000 sites using the plugin have not yet updated their installation, according to download statistics in the last two weeks since the patch was released, and are still vulnerable to attack.
What makes these vulnerabilities very dangerous is that while the successful exploitation of both vulnerabilities requires authentication of the threat actors, they only need low-level permissions such as the subscriber to abuse it during attacks.
Subscriber is a default WordPress user role (just like Contributor, Author, Editor, and Admin), typically enabled to allow registered users to comment on posts posted on WordPress sites.
While subscribers can usually only edit their own profile in addition to posting comments, in this case, they can exploit CVE-2021-25036 to elevate their privileges and achieve remote code execution on vulnerable sites and, probably, take them completely over.
WordPress admins urged to update as soon as possible
As Montpas revealed, increasing privileges by abusing CVE-2021-25036 is an easy task on sites running an uncorrected All in One SEO version by “changing a single character to uppercase” to bypass all checks. of privileges implemented.
“This is particularly concerning because some of the plugin’s endpoints are quite sensitive. For example, the aioseo / v1 / htaccess endpoint can rewrite a site’s .htaccess with arbitrary content,” Montpas explained.
“An attacker could abuse this functionality to hide .htaccess backdoors and execute malicious code on the server.”
WordPress administrators still using the All In One SEO versions affected by these severe vulnerabilities (between 4.0.0 and 22.214.171.124) who have not yet installed patch 126.96.36.199 are advised to do so immediately.
“We recommend that you check which version of the All In One SEO plugin your site is using, and if it is within the affected range, update it as soon as possible.” the researcher warned A week ago.