A critical privilege-escalation vulnerability tracked as CVE-2021-25036 could lead to backdoors for admin access nesting in web servers.
A popular WordPress SEO-optimization plugin, called All in One SEO. This plugin has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover.
What versions are vulnerable?
For both vulnerabilities, update your plugins to version 4.1.5.3 then vulnerabilities will be patched.
Privilege Escalation and SQL Injection
The more severe issue out of the two bugs is the privilege-escalation problem. It carries a critical rating of 9.9 out of 10.
The vulnerability “can be exploited by simply changing a single character of a request to upper-case,” researchers at Sucuri explained.
“When exploited, this vulnerability has the capability to overwrite certain files within the WordPress file structure. “This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.”
The second bug carries a high-severity CVSS score of 7.7 and affects versions 4.1.3.1 and 4.1.5.2
All in One SEO users should update to the patched version to be safe. Additonal defensive steps include:
- Reviewing the administrator users in the system and removing any suspect ones;
- Changing all administrator account passwords; and
- Adding additional hardening to the administrator panel.
Plugin Paradise for Website Hackers
“WordPress plugins continue to be a major risk to any web application, making them a regular target for attackers.
Shadow code introduced via third-party plugins and frameworks vastly expands the attack surface for websites.”
The warning comes as new bugs continue to crop up.
Website owners need to be vigilant about third-party plugins and frameworks and stay on top of security updates. They should secure their websites using web application firewalls.
Interested in a weekly cybersecurity newsletter?
Click here