Update All in One SEO Pack to Protect Websites Against Hackers
WordPress websites running outdated versions of All in One SEO are vulnerable to hackers. Unpatched versions of the popular WordPress plugin may contain a security flaw that allows cybercriminals to gain admin access or execute arbitrary code on the webserver.
The first All in One SEO flaw allows for authenticated Privilege Escalation. Impacted versions include versions 4.0.0 to 184.108.40.206, inclusive. WordPress users with restricted access accounts such as subscribers and contributors can exploit the security flaw to allow for backdoor access or to execute malicious code on the server.
This vulnerability is tracked in the Common Vulnerabilities Exposures database as CVE-2021-25036.
The second security flaw involves authenticated SQL Injection. Impacted versions include 220.127.116.11 to 18.104.22.168 inclusively. Appending a malicious string to an SQL query allows a hacker to use a query to expose sensitive information including login credentials. An attacker could also use SQL injection to manipulate the query to steal sensitive information from the database.
This bug is tracked as CVE-2021-25037.
All in One SEO is a WordPress plugin (or addon). The WordPress addon was first released in 2007. According to their stats on WordPress, there are more than three million websites using All in One SEO. There is both a free version known as the lite version as well as a pro version available for a fee.
Search engine optimization (SEO) is the practice of working with website programming, planning, and content to help it rank higher in web searches.
“The Privilege Escalation bug we discovered may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites,” says the developer.
All site admins should update to All in One SEO to patch the security flaws.
The current version of All in One SEO is 22.214.171.124. An updated version of the plugin can be downloaded from the official WordPress plugin page.
Website admins should use caution when updating and maintaining WordPress core files and plugins. Install files and plugins from the official WordPress repository or directly from the developer.
Attackers often setup spoof websites to trick internet app suers into downloading malicious files disguised as updates and apps.