The All In One SEO plugin has patched a set of extreme vulnerabilities that have been discovered by the Jetpack Scan team two weeks in the past. Model 184.108.40.206, launched December 8, consists of fixes for a SQL Injection vulnerability and a Privilege Escalation bug.
Marc Montpas, the researcher who found the vulnerabilities, defined how they may very well be exploited:
If exploited, the SQL Injection vulnerability might grant attackers entry to privileged data from the affected web site’s database (e.g., usernames and hashed passwords).
The Privilege Escalation bug we found might grant unhealthy actors entry to protected REST API endpoints they shouldn’t have entry to. This might in the end allow customers with low-privileged accounts, like subscribers, to carry out distant code execution on affected websites.
Montpas defined that All In One search engine optimization didn’t safe the plugin’s REST API endpoints, permitting customers with low-privileged accounts (akin to subscribers) to bypass the privilege checks and achieve entry to each endpoint the plugin registers. This features a significantly delicate
htaccess endpoint, which is succesful rewriting a web site’s .htaccess file with arbitrary content material. Montpas mentioned an attacker might abuse this function to cover .htaccess backdoors and execute malicious code on the server.
All in One search engine optimization is energetic on greater than 3 million WordPress websites, and each model of the plugin between 4.0.0 and 220.127.116.11 is affected and weak. Customers with computerized updates enabled for minor releases ought to have already got the patch because it was launched six days in the past. For many who are updating manually, the Jetpack Scan group recommends customers throughout the affected vary replace to the newest model as quickly as attainable.