Flaws in WordPress plugin put 3 million websites at risk

Application security, response to incidents and breaches, next-generation technologies and secure development

Operation may have exposed REST-API endpoints on sites

Prajeet Nair (@prajeetspeaks) •
December 27, 2021

Security researchers have discovered two serious vulnerabilities in a popular WordPress SEO plugin used by over 3 million website owners. If left unchecked, the vulnerabilities could allow an attacker to take advantage of an elevation of privilege bug and SQL injection problem.

See also: How to improve your defenses with Security Analytics

Both vulnerabilities are found in All in One SEO, which was released in 2007 and is used by WordPress website owners to ensure their websites rank higher in search engines.

When combined, they can become a chain of exploitation that could allow an attacker to take over websites – if the attacker has an account on the website, which can simply be a subscriber account.

“WordPress websites by default allow any user on the web to create an account. By default, new accounts are classified as ‘subscribed’ and have no privileges other than to write comments,” Sucuri researchers say. .

These vulnerabilities allow subscribers to have more privileges than expected and, when exploited in tandem, the security holes allow an attacker to take hold of an unpatched WordPress website, researchers say.

Vulnerability analysis

Marc Montpas, a security research engineer at Automattic, first detected the SQL injection vulnerability and elevation of privilege bug during an internal audit of the All In One SEO plugin.

“If exploited, the SQL injection vulnerability could allow attackers to access privileged information in the affected site’s database (for example, hashed usernames and passwords). This could ultimately allow users with less privileged accounts, such as subscribers, to execute code remotely on affected sites, ”Montpas said.

He says the researchers reported the vulnerabilities to the plug-in’s author via email, and the author recently released version to address it.

Sucuri researchers performed an in-depth analysis of these vulnerabilities and found that the first issue with this plug-in, which affects All in One SEO versions 4.0.0 and, can be exploited by simply changing a single character of an uppercase request.

“This plug-in has access to a number of REST API endpoints, but performs a permission check before executing the commands sent. This ensures that the user has the correct permissions to request the plug-in. in to execute commands. However, All in One SEO has done this ignores the subtle fact that WordPress treats these REST API routes as case-insensitive strings. Changing a single character to uppercase would bypass the d-checks altogether. ‘authentication,’ the researchers say.

When exploited, this vulnerability can overwrite certain files within the WordPress file structure, giving backdoor access to any attacker, which would allow website takeover and could elevate the privileges of subscriber accounts by administrators.

The second vulnerability is present in versions and of the plug-in. The endpoint is not intended to be accessed by low-level accounts, but with the previous authenticated elevation of privilege vulnerability, attackers can run SQL commands to disclose sensitive database data, including including user credentials and administrative information.

“The appeal of WordPress lies in its flexibility of use as well as its ease of configuration and use. But, like any software, its developers and those who make WordPress components, such as plugins and templates, will make mistakes. leads to the introduction of vulnerabilities to a user’s website. For this reason, it is important that users take a holistic look at their WordPress environment and build security into every component. This includes the server, network and application layers, ”explains Leo Pate, management consultant at application security provider nVisium.


“While the requirements of an operating chain provide some level of immunity to most users of this plug-in, website owners simply cannot rely on it as a form of protection. Each plugin vulnerability explains the need for website owners to use a good security plugin, configure a web application firewall, and most importantly, enable automatic WordPress updates for plugins. ins, themes and kernel, while ensuring that their website is now fully up-to-date and backed up regularly, ”said Yehuda Rosen, senior software engineer at application security vendor nVisium.

Researchers recommend that all sites be updated with the latest patched versions of the plug-in.

Rosen also says website administrators should protect and harden their sites to avoid having to clean up after a hack.

The growing threat of plug-ins

Earlier this month, security firm Wordfence Security identified a massive wave of ongoing attacks against more than 1.6 million WordPress sites. The report states that over 13.7 million different attack attempts were made over a 36 hour period, and all focused on leveraging four different WordPress plugins and multiple Epsilon framework themes.

This attack campaign, which originated from more than 16,000 different IP addresses, allowed attackers to take over vulnerable sites through the use of arbitrary option updates (see: Massive attack targets 1.6 million WordPress sites).

In October, Wordfence researchers warned that a WordPress plugin installed on more than a million websites was vulnerable to high-severity bugs.

The vulnerabilities of the OptinMonster plug-in, which helps customers create sales campaigns, would have allowed attackers to export sensitive information and add malicious pieces of code or JavaScript to all affected WordPress sites (see: WordPress plugin bugs put more than a million sites at risk).

In March, Wordfence researchers reported that a WordPress plugin called Tutor LMS had several vulnerabilities associated with unprotected Ajax endpoints. These flaws were then corrected (see: Fixed WordPress LMS Tutor plugin flaws).

Esther L. Gunn