800K WordPress sites still impacted by a critical flaw in the SEO plugin


Two critical and high severity security vulnerabilities in the ever popular “All in One” WordPress SEO plugin have exposed more than 3 million websites to takeover attacks.

The security vulnerabilities discovered and reported by Marc Montpas, security researcher at Automattic, are a critical authenticated privilege escalation bug (CVE-2021-25036) and high severity authenticated SQL injection (CVE-2021-25037).

Over 800,000 vulnerable WordPress sites

The plugin developer has released a security update to address both All in one bugs on December 7, 2021.

However, more than 820,000 sites using the plugin have not yet updated their installation, according to download statistics in the last two weeks since the patch was released, and are still vulnerable to attack.

What makes these vulnerabilities very dangerous is that while the successful exploitation of both vulnerabilities requires authentication of the threat actors, they only need low-level permissions such as the subscriber to abuse it during attacks.

Subscriber is a default WordPress user role (just like Contributor, Author, Editor, and Admin), typically enabled to allow registered users to comment on posts posted on WordPress sites.

While subscribers can usually only edit their own profile in addition to posting comments, in this case, they can exploit CVE-2021-25036 to elevate their privileges and achieve remote code execution on vulnerable sites and, probably, take them completely over.

Dated Downloads
2021-12-07 336738
2021-12-08 1403672
2021-12-09 68941
2021-12-10 45392
2021-12-11 31346
2021-12-12 26677
2021-12-13 35666
2021-12-14 34938
2021-12-15 72301
2021-12-16 28672
2021-12-17 24699
2021-12-18 18774
2021-12-19 17972
2021-12-20 25388
Total 2171176

WordPress admins urged to update as soon as possible

As Montpas revealed, increasing privileges by abusing CVE-2021-25036 is an easy task on sites running an uncorrected All in One SEO version by “changing a single character to uppercase” to bypass all checks. of privileges implemented.

“This is particularly concerning because some of the plugin’s endpoints are quite sensitive. For example, the aioseo / v1 / htaccess endpoint can rewrite a site’s .htaccess with arbitrary content,” Montpas explained.

“An attacker could abuse this functionality to hide .htaccess backdoors and execute malicious code on the server.”

WordPress administrators still using the All In One SEO versions affected by these severe vulnerabilities (between 4.0.0 and 4.1.5.2) who have not yet installed patch 4.1.5.3 are advised to do so immediately.

“We recommend that you check which version of the All In One SEO plugin your site is using, and if it is within the affected range, update it as soon as possible.” the researcher warned A week ago.


Comments are closed.