During an internal audit, security researchers at Jetpack uncovered two All In One SEO vulnerabilities described as severe. An SQL Injection vulnerability and a Privilege Escalation bug were discovered in this popular WordPress plugin installed 3+ million times.
If exploited these vulnerabilities could allow an attacker to gain privileged database access thereby exposing usernames and hashed passwords in addition to other data as well as allowing low-privileged accounts, like subscribers to perform remote code execution.
Authenticated Privilege Escalation (CVE-2021-25036)
The Authenticated Privilege Escalation bug could grant hackers access to protected REST API endpoints they shouldn’t have access to.
All In One SEO Plugin affected releases include every version between 4.0.0 and 22.214.171.124 inclusively. The plugin developers recently patched and released version 126.96.36.199.
Authenticated SQL Injection (CVE-2021-25037)
This vulnerability could be exploited via the
PostsTerms::searchForObjects() method, which is accessible via the
/wp-json/aioseo/v1/objects REST API route only escaped user input using
wpdb::esc_like() before appending the input to an SQL query.
Since the said method is not designed to escape quotes, an attacker could still inject them and force the query to leak sensitive information from the database, like user credentials.
Normally the above endpoint is not meant to be accessible to users with low-privileged accounts, the Authenticated Privilege Escalation bug makes it possible for an attacker to abuse this vulnerability.
Every All In One SEO plugin release between 188.8.131.52 and 184.108.40.206 inclusively is affected.
We strongly recommend that affected users update to the latest plugin version immediately and that you share this post within the WordPress community to create awareness among site owners about these vulnerabilities and how to stay safe from any attacks.