During an internal audit, security researchers at Jetpack uncovered two All In One SEO vulnerabilities described as severe. An SQL Injection vulnerability and a Privilege Escalation bug were discovered in this popular WordPress plugin installed 3+ million times.
If exploited these vulnerabilities could allow an attacker to gain privileged database access thereby exposing usernames and hashed passwords in addition to other data as well as allowing low-privileged accounts, like subscribers to perform remote code execution.
Authenticated Privilege Escalation (CVE-2021-25036)
The Authenticated Privilege Escalation bug could grant hackers access to protected REST API endpoints they shouldn’t have access to.
All In One SEO Plugin affected releases include every version between 4.0.0 and 4.1.5.2 inclusively. The plugin developers recently patched and released version 4.1.5.3.
Authenticated SQL Injection (CVE-2021-25037)
This vulnerability could be exploited via the PostsTerms::searchForObjects()
method, which is accessible via the /wp-json/aioseo/v1/objects
REST API route only escaped user input using wpdb::esc_like()
before appending the input to an SQL query.
Since the said method is not designed to escape quotes, an attacker could still inject them and force the query to leak sensitive information from the database, like user credentials.
Normally the above endpoint is not meant to be accessible to users with low-privileged accounts, the Authenticated Privilege Escalation bug makes it possible for an attacker to abuse this vulnerability.
Every All In One SEO plugin release between 4.1.3.1 and 4.1.5.2 inclusively is affected.
You can see more details about these WordPress All In One SEO vulnerabilities from this JetPack post here.
Conclusion
We strongly recommend that affected users update to the latest plugin version immediately and that you share this post within the WordPress community to create awareness among site owners about these vulnerabilities and how to stay safe from any attacks.
Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.