The security of some 800,000 websites using WordPress is at risk. The popular All in One SEO plugin, which is used by over 3 million websites to improve search engine rankings, features two critical vulnerabilities. They have been addressed in an update released on December 7, but webmasters are taking time to apply this patch.
Automattic security researcher Marc Montpas discovered the security flaws in early December during an internal audit of the All in One SEO plugin. One of the vulnerabilities (CVE-2021-25036) could allow a user with the subscriber role acquires elevated privilegeswhile the other (CVE-2021-25037) would open the door to databases with private information.
A serious and easy to exploit vulnerability
In order to distribute the capabilities and permissions for each type of user, WordPress sites have different roles. This is administrator, editor, author, contributor or subscriber. The latter only has the ability to read posts and leave comments on them, but taking advantage of vulnerability CVE-2021-25036 could act as administrator of the site and thus control it completely.
In general terms, and without going into technical details that can be found in this Jetpack article, the attacker could use the vulnerable plugin to bypass privilege checks required by the REST API. It would only have to change a character to uppercase in a request. In this way it could, for example, execute malicious code on the server.
The other vulnerability (CVE-2021-25037), which depends on the previous one, could allow the user who elevated their privileges to perform a SQL injection compromising database security. This attack would open the doors to modify data from them or extract sensitive information, including user credentials.
What to do about the vulnerability of All in One SEO
The mentioned vulnerabilities affect the versions 4.0.0 to 220.127.116.11 All in One SEO plugin. To protect websites, webmasters they must install version 18.104.22.168 which can be viewed from this link. It is also recommended to keep all plugins updated to avoid possible security risks.
Images | wordpress | Stephen Phillips (Unsplash)
Via | BleepingComputer