Two critical and high severity security vulnerabilities in the popular “All in One” SEO WordPress plugin exposed more than 3 million websites to takeover attacks.
Automattic security researcher Marc Montpas discovered and reported the security flaws which includes a critical Authenticated Privilege Escalation bug (CVE-2021-25036) and a high severity Authenticated SQL Injection (CVE-2021-25037).
The developer of the plugin released a security update to address both All in One bugs on December 7, 2021.
But over 820,000 sites using the plugin are yet to update their installation and are still exposed to attacks.
Even though successfully exploiting the two vulnerabilities requires threat actors to be authenticated, they only need low-level permissions such as Subscriber, to abuse them in attacks which makes these flaws dangerous.
Subscriber is a default WordPress user role (just as Contributor, Author, Editor, and Administrator), commonly enabled to allow registered users to comment on articles published on WordPress sites.
Although subscribers can only edit their own profile besides posting comments, here, they can exploit CVE-2021-25036 to elevate their privileges and gain remote code execution on vulnerable sites and completely take them over.
Escalating privileges by abusing CVE-2021-25036 is easy to perform on sites running an unpatched All in One SEO version by “changing a single character to uppercase” to bypass all implemented privilege checks.
All WordPress admins who are still using All In One SEO versions affected by these severe vulnerabilities (between 4.0.0 and 22.214.171.124) and who haven’t already installed the 126.96.36.199 patch are recommended to do it immediately.