Over 3 million websites were subject to takeover attacks due to two severe and high severity security flaws in the famous “All in One” SEO WordPress plugin. A major Authenticated Privilege Escalation problem (CVE-2021-25036) and a high severity Authenticated SQL Injection (CVE-2021-25037) bug were identified and reported by Automattic security researcher Marc Montpas.
On December 7, 2021, the plugin’s developer published a security upgrade to fix both “All in One” vulnerabilities. However, according to download statistics over the previous two weeks after the fix was issued, more than 820,000 sites employing the plugin have yet to update their installation, leaving them vulnerable to cyberattacks.
Although properly exploiting the two issues needs threat actors to be authenticated, they simply need low-level permissions like Subscriber to misuse them in assaults makes them extremely hazardous. Subscriber is a WordPress user position (with Contributor, Author, Editor, and Administrator) that allows registered users to leave comments on articles published on WordPress sites.
Although subscribers usually can only modify their profile and submit comments, in this situation, they can use CVE-2021-25036 to elevate their privileges and get remote code execution on susceptible sites, allowing them to take them over totally. On sites running an unpatched All in One SEO version, escalation privileges by leveraging CVE-2021-25036 are as simple as “modifying a single character to uppercase” to evade all established privilege checks, as Montpas discovered.
WordPress admins who are still using versions of the All In One SEO plugin impacted by these severe vulnerabilities (between 4.0.0 and 126.96.36.199) and haven’t yet updated the 188.8.131.52 patch should do so immediately.
“We recommend that you check which version of the All In One SEO plugin your site is using, and if it is within the affected range, update it as soon as possible,” the researcher alerted a week ago.