Over 3 million WordPress websites that are using AIO SEO plugins are at risk of takeover attacks. Automattic security researcher Marc Montpas has found two critical and high severity security vulnerabilities in the plugin. Plugin developer also issued a security update to address both the vulnerabilities on December 7, 2021.
Both the vulnerabilities are dependent on each other for a successful attack. The first vulnerability is used for Privilege Escalation Attack that lets users with a low level of website access privilege (like a subscriber) raise their privilege level to admin.
The attacker can exploit the WordPress REST API to get access to usernames and passwords. It is because the AIO SEO plugin didn’t check if a user accessing an API endpoint had the right privilege credentials. After the attacker has user credentials, he can then perform Authenticated SQL Injection.
Also see: Best SEO Tools For Better Organic Search Traffic
AIO SEO or All in One SEO is a popular WordPress SEO plugin used by millions of users. The plugin already has over 3 million active installs. Although the patch has been issued, more than 820,000 sites using the plugin are yet to update the plugin.
The vulnerable versions are 4.0.0 through 4.1.5.2. If you use the AIO SEO plugin you should update it to 4.1.5.3 to keep your website safe.
