It's that time of the year again with a new vulnerability coming from the WordPress plugin ecosystem. This time it is a vulnerability in All in One SEO Plugin which allows a user who has an account on the website to perform a privilege escalation exploit.
The vulnerability was discovered by security researcher Marc Montpas who works at Automattic. The plugin that Marc found the vulnerability in is used by over three million websites constituting a serious vulnerability for WordPress website owners who still haven't updated to the latest version of the plugin yet.
The plugin contains two separate vulnerabilities, a privilege escalation vulnerability, and a SQL injection vulnerability. Both of these require the attacker to already have an account on the website to perform these attacks.
While the plugin does have a series of API endpoints and also performs a check to ensure that the user has the correct privileges in order to perform the action. The plugin did not have a check for how WordPress itself handles REST API routes. WordPress allows for routes to be case insensitive and the plugin assumed for the route to be case sensitive, so to bypass any of the checks from the plugin you would only need to change a character in the string to uppercase.
Using this vulnerability in combination with the SQL injection vulnerability could make this situation a 100x worst for the administrator.
In this plugin there exist an endpoint that allows for the execution of SQL commands, and if properly exploited could leak sensitive information from the database.
Make sure you always keep your plugins up to date in order to protect yourself against threats like these. Also if you do not have a plugin such as wordfence or any other WordPress security plugin, I do wholly recommend getting one of them in order to add additional security to your site.
Copyright © Brandon-travis.com 2022.