Critical Vulnerability in All in One SEO WordPress Plugin

  • Post last modified:December 23, 2021
  • Post category:Security
  • Post comments:0 Comments
  • Reading time:2 mins read

A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.

A critical vulnerability has been discovered in the popular WordPress SEO plugin All in One SEO. As per WordPress stats, this plugin is used by more than 3 millions websites. If it is not patched by the website owners, it can cause the serious problem for the website owners.

Security Risk: High
Exploitation Level: Easy
CVSS Score: 9.9 / 7.7
Vulnerability: Privilege Escalation, SQL Injection
Patched Version: 4.1.5.3

If you are using All in One SEO WordPress plugin, make sure that you upgraded it to latest version 4.1.5.3 to secure your website. If it is not upgraded, it can cause serious problem for your website.

An attacker with an account with the site – such as a subscriber, shopping account holder or member – can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri.

By default, new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intend.

Popular WordPress plugins are now being targeted for such vulnerabilities. In last couple of months, many popular WordPress plugins were patched to address critical privilege escalation, XSS, SQL injection etc. vulnerabilities. For WordPress users, you should keep your installation up to date to avoid any impact.

Leave a Reply