The All In One SEO plugin has patched a set of severe vulnerabilities that were discovered by the Jetpack Scan team two weeks ago. Version 184.108.40.206, released December 8, includes fixes for a SQL Injection vulnerability and a Privilege Escalation bug.
Marc Montpas, the researcher who discovered the vulnerabilities, explained how they could be exploited:
If exploited, the SQL Injection vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).
The Privilege Escalation bug we discovered may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.
The Common Vulnerability Scoring System (CVSS) gave the vulnerabilities High and Critical scores for exploitability.
Montpas explained that All In One SEO failed to secure the plugin’s REST API endpoints, allowing users with low-privileged accounts (such as subscribers) to bypass the privilege checks and gain access to every endpoint the plugin registers. This includes a particularly sensitive htaccess endpoint, which is capable rewriting a site’s .htaccess file with arbitrary content. Montpas said an attacker could abuse this feature to hide .htaccess backdoors and execute malicious code on the server.
All in One SEO is active on more than 3 million WordPress sites, and every version of the plugin between 4.0.0 and 220.127.116.11 is affected and vulnerable. Users with automatic updates enabled for minor releases should already have the patch since it was released six days ago. For those who are updating manually, the Jetpack Scan team recommends users within the affected range update to the latest version as soon as possible.