Two vulnerabilities have been identified in the All in One SEO plugin for WordPress, that could be chained and exploited allowing a full site takeover. The search engine optimization plugin has been installed on more than 3 million websites, many of which are still vulnerable.
The two vulnerabilities can be chained in an attack by any user with an account on a vulnerable site, even if the account only has low-level privileges such as a website subscriber or the holder of a shopping account on an e-commerce website.
Website subscribers are the default accounts on WordPress sites and all WordPress sites allow subscriber accounts to be set up in the default configuration. While a subscriber can only post comments on a WordPress site, an elevation-of-privilege vulnerability can be exploited which will allow the user to elevate their privileges to admin level.
The vulnerability is also ridiculously easy to exploit, only requiring a single character to be changed in a request from lower to upper case. The bug is present in versions 4.0.0 and 4.1.5.2 of the All in One SEO plugin.
“This plugin has access to a number of REST API endpoints, but performs a permission check before executing any commands sent. This ensures that the user has proper permissions to instruct the plugin to execute commands,” wrote Ben Martin of Sucuri in a recent blog post about the vulnerability. “However, All in One SEO did not account for the subtle fact that WordPress treats these REST API routes as case-insensitive strings. Changing a single character to uppercase would bypass the authentication checks altogether.”
With admin-level privileges, an attacker could overwrite files within the WordPress installation, which could allow them to add a backdoor to the site. The vulnerability has been assigned a CVSS severity score of 9.9 out of 10.
The second vulnerability affects versions 4.1.3.1 and 4.1.5.2 of the plugin and is due to an issue with the API endpoint called “/wp-json/aioseo/v1/objects. If an attacker exploited the first vulnerability and elevated their own privileges to admin, they could access the API endpoint which would allow them to send malicious SQL commands to the backend database and obtain user credentials and sensitive data. The vulnerability has been assigned a CVSS severity score of 7.7
The vulnerabilities were identified by Automattic security researcher Marc Montpas. Users of the All in One SEO plugin should ensure they update the plugin to the latest version, v. 4.1.5.3, as soon as possible to prevent exploitation of the vulnerabilities.