A vulnerability that allows hackers to access usernames and passwords and perform remote code execution exploits in All In One SEO Plugin has been discovered by security researchers from Jetpack. These vulnerabilities depend on each other in order to be successful.
The first vulnerability which allows a user with a low lever access privilege to raise their privilege level to have more access privileges (subscriber to administrator) is called Privilege Escalation Attack. The security researchers described this vulnerability as severe and can provide access to privileged information such as username and passwords, from the site’s database.
One of the exploits is the Authenticated Privilege Escalation which exploits the WordPress REST API and allows the attacker to access the usernames and passwords in the database. The problem with the plugin is that, the security checks that verify if a user accessing an API endpoint has the right privilege credentials.
According to Jetpack:
“the privilege checks which was applied in All in One SEO to secure REST API endpoints contained a very subtle bug that could’ve granted users with low-privileged accounts access to every single endpoint the plugin registers.”
The second exploit is the Authenticated SQL injection which relies on an attacker having some user credential. The SQL injection is the exploitation of an output with an unexpected series of code or characters. This enables providing access to the hacker.
Do you use All In One SEO in your WordPress site? If so, make sure that your plugin is updated to the latest version as this is the safest version. The vulnerability affects older version – versions 4.0.0 to 4.1.5.2.
It is always good practice to make sure that your plugins are updated to the latest version to ensure that you have the best version of the plugin and that it has all the updated security features that would prevent hacking and malware attacks.
Before you can receive free updates, link building strategies or SEO tips you need to confirm your email right now.
(It’s easy)
Just go to your inbox, open the confirmation email from the SIA, and click the link.
And that’s it!
PS: If you don’t see a confirmation email, please check your spam/junk or promotions folders. Sometimes the confirmation message ends up there by mistake.
Obtenez nos 7 études S.I.A. les plus controversées qui feront trembler la tête même les SEO les plus avancés d’incrédulité.
De plus, nous vous alerterons lorsque nous publierons de nouveaux tests au public.
Obtenga nuestros 7 estudios S.I.A. más controvertidos que harán que incluso el SEO más avanzado sacuda la cabeza con incredulidad.
Además, le avisaremos cuando publiquemos nuevas pruebas al público.
Get Our Most 7 Controversial S.I.A. Studies That Will Make Even the Most Advanced SEO Shake Their Head in Disbelief.
Plus we will alert you when we publish new tests to the public.
