• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Critical Vulnerabilities in All in One SEO Plugin Affects Millions of WordPress Websites

December 21, 2021Ben Martin

FacebookTwitterSubscribe
Security Risk: High

Exploitation Level: Easy

CVSS Score: 9.9 / 7.7

Vulnerability: Privilege Escalation, SQL Injection

Patched Version: 4.1.5.3

Last week, security researcher at Automattic Marc Montpas recently discovered two severe security vulnerabilities within one of the most popular SEO plugins used by WordPress website owners: All in One SEO. The plugin is used by more than three million websites and if left unpatched could cause some serious headaches for WordPress users.

The Details

Both vulnerabilities require that the attacker have an account on the website, but the account could be as low-level as a subscriber. By default new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have. If a WordPress website has account creation enabled, when exploited in tandem, these two security holes allow an attacker to take over an unpatched WordPress website.

Authenticated Privilege Escalation

The first issue found with this plugin is interesting, and can be exploited by simply changing a single character of a request to uppercase. It affects versions 4.0.0 and 4.1.5.2 of All in One SEO. This plugin has access to a number of REST API endpoints, but performs a permission check before executing any commands sent. This ensures that the user has proper permissions to instruct the plugin to execute commands. However, All in One SEO did not account for the subtle fact that WordPress treats these REST API routes as case-insensitive strings. Changing a single character to uppercase would bypass the authentication checks altogether.

When exploited, this vulnerability has the capability to overwrite certain files within the WordPress file structure, effectively giving backdoor access to any attacker. This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.

Vulnerable code in All-In-One-SEO WordPress plugin allowing for privilege escalation

Authenticated SQL Injection

The second vulnerability discovered is present in versions 4.1.3.1 and 4.1.5.2 of this plugin. There is a particular endpoint located here:

/wp-json/aioseo/v1/objects

This endpoint isn’t intended to be accessible by low-level accounts. However, since the previous vulnerability described allowed for privilege escalation, the attackers could first elevate their privileges and then execute SQL commands to leak sensitive data from the database, including user credentials and admin information.

Vulnerable code in All-In-One-SEO WordPress plugin allowing for SQL injection

In Conclusion

If your website is using All in One SEO be sure to update to the most recent version as soon as possible! You will also want to review the administrator users present on your website. Remove any suspect users that you do not recognise, and for good measure change all administrator account passwords. It’s also prudent to add some additional hardening to your administrator panel.

Users of our firewall are protected against these vulnerabilities. Although we always recommend updating out of date plugins to the most recent version, particularly in cases such as these where security issues are present!

Edit: A previous version of this post stated that WordPress has public user creation enabled by default. This was incorrect as it does, in fact, have to be manually enabled by site administrators.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Security, WordPress Security

About Ben Martin

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.