800K WordPress websites nonetheless impacted by essential website positioning plugin flaw

800K WordPress sites still impacted by critical SEO plugin flaw

Two essential and excessive severity safety vulnerabilities within the extremely well-liked “All in One” website positioning WordPress plugin uncovered over 3 million web sites to takeover assaults.

The safety flaws found and reported by Automattic safety researcher Marc Montpas are a essential Authenticated Privilege Escalation bug (CVE-2021-25036) and a excessive severity Authenticated SQL Injection (CVE-2021-25037).

Over 800,000 susceptible WordPress websites

The plugin’s developer launched a safety replace to deal with each All in One bugs on December 7, 2021.

Nevertheless, greater than 820,000 websites utilizing the plugin are but to replace their set up, based on obtain statistics for the final two weeks for the reason that patch was launched, and are nonetheless uncovered to assaults. 

What makes these flaws extremely harmful is that, regardless that efficiently exploiting the 2 vulnerabilities requires menace actors to be authenticated, they solely want low-level permissions akin to Subscriber to abuse them in assaults.

Subscriber is a default WordPress person function (simply as Contributor, Writer, Editor, and Administrator), generally enabled to permit registered customers to touch upon articles revealed on WordPress websites.

Though subscribers are sometimes solely in a position to edit their very own profile apart from posting feedback, on this case, they’ll exploit CVE-2021-25036 to raise their privileges and achieve distant code execution on susceptible websites and, seemingly, fully take them over.

Date Downloads
2021-12-07 336738
2021-12-08 1403672
2021-12-09 68941
2021-12-10 45392
2021-12-11 31346
2021-12-12 26677
2021-12-13 35666
2021-12-14 34938
2021-12-15 72301
2021-12-16 28672
2021-12-17 24699
2021-12-18 18774
2021-12-19 17972
2021-12-20 25388
Whole 2171176

WordPress admins urged to replace ASAP

As Montpas revealed, escalating privileges by abusing CVE-2021-25036 is a simple activity on websites working an unpatched All in One website positioning model by “altering a single character to uppercase” to bypass all applied privilege checks.

“That is notably worrying as a result of among the plugin’s endpoints are fairly delicate. For instance, the aioseo/v1/htaccess endpoint can rewrite a web site’s .htaccess with arbitrary content material,” Montpas defined.

“An attacker may abuse this function to cover .htaccess backdoors and execute malicious code on the server.”

WordPress admins nonetheless utilizing All In One website positioning variations affected by these extreme vulnerabilities (between 4.0.0 and who have not already put in the patch are suggested to do it instantly.

“We advocate that you just examine which model of the All In One website positioning plugin your web site is utilizing, and whether it is inside the affected vary, replace it as quickly as attainable,” the researcher warned one week in the past.

Related Articles

Back to top button