Brandon Travis

A picture that shows security issues

WordPress All in One SEO Plugin Vulnerability

Last updated on: Sunday, December 26, 2021

It's that time of the year again with a new vulnerability coming from the WordPress plugin ecosystem. This time it is a vulnerability in All in One SEO Plugin which allows a user who has an account on the website to perform a privilege escalation exploit.

Background

The vulnerability was discovered by security researcher Marc Montpas who works at Automattic. The plugin that Marc found the vulnerability in is used by over three million websites constituting a serious vulnerability for WordPress website owners who still haven't updated to the latest version of the plugin yet.

The plugin contains two separate vulnerabilities, a privilege escalation vulnerability, and a SQL injection vulnerability. Both of these require the attacker to already have an account on the website to perform these attacks.

Privilege Escalation

While the plugin does have a series of API endpoints and also performs a check to ensure that the user has the correct privileges in order to perform the action. The plugin did not have a check for how WordPress itself handles REST API routes. WordPress allows for routes to be case insensitive and the plugin assumed for the route to be case sensitive, so to bypass any of the checks from the plugin you would only need to change a character in the string to uppercase.

Using this vulnerability in combination with the SQL injection vulnerability could make this situation a 100x worst for the administrator.

SQL Injection Vulnerability

In this plugin there exist an endpoint that allows for the execution of SQL commands, and if properly exploited could leak sensitive information from the database.

This route isn't able to be accessed by low-level accounts but combining the privilege escalation exploit along with this allows an attacker full access to the database allowing the attacker to retrieve administrator and user information.

Conclusion

Make sure you always keep your plugins up to date in order to protect yourself against threats like these. Also if you do not have a plugin such as wordfence or any other WordPress security plugin, I do wholly recommend getting one of them in order to add additional security to your site.


Related Posts

Linux mascot penguin
Linux Servers and Security
Picture of WordPress logo
How secure is WordPress really?
picture of laptop with warning icon
Log4j vulnerability and what it means

Copyright © Brandon-travis.com 2022.