Security researchers at Jetpack have uncovered two critical vulnerabilities in the All In One SEO Plugin. These vulnerabilities could enable a hacker to gain access to usernames and passwords and also execute remote code.
The vulnerabilities are interdependent to succeed. The first one, known as a Privilege Escalation Attack, allows a user with low website access privileges (such as a subscriber) to elevate their privilege level to that of a higher-privileged user (like a website administrator).
The researchers at Jetpack describe the vulnerability as severe, warning that exploiting the SQL Injection vulnerability could grant attackers access to sensitive information from the affected site’s database, including usernames and hashed passwords.
### Authenticated Privilege Escalation
One of the exploits is an Authenticated Privilege Escalation vulnerability that targets the WordPress REST API, enabling an attacker to access usernames and passwords. The REST API allows plugin developers to interact securely with the WordPress installation to enable functionalities without compromising security.
This vulnerability exploits the WordPress REST API endpoints (URLs representing posts, etc.). Attacks on the REST API are increasingly a weak point in WordPress security. However, the fault doesn’t lie with WordPress, as the REST API is designed with security in mind. The issue in the All In One SEO plugin was with the security checks that verify whether a user accessing an API endpoint had the correct privilege credentials.
According to Jetpack, the privilege checks applied by All In One SEO to secure REST API endpoints contained a subtle bug. This bug could grant users with low-privileged accounts (like subscribers) access to every single endpoint the plugin registers. Since the checks did not account for the fact that WordPress treats REST API routes as case-insensitive strings, changing a single character to uppercase would bypass the privilege checks routine.
### Authenticated SQL Injection
The second exploit is an Authenticated SQL Injection. This requires an attacker to have some user credentials, even as low as a website subscriber. A SQL injection occurs when unexpected code or characters are inputted, enabling the exploit, such as providing access.
The non-profit Open Web Application Security Project (OWASP) defines a SQL Injection as unintended data entering a program from an untrusted source and being used to dynamically construct a SQL query.
Jetpack notes that the privilege escalation vulnerability allows an attacker to mount an Authenticated SQL Injection attack. While this endpoint wasn’t meant to be accessible to users with low-privileged accounts, the privilege escalation attack vector made it possible for them to exploit this vulnerability.
### Updating SEO Plugin Recommended
These vulnerabilities affect versions 4.0.0 through 4.1.5.2. The latest version, 4.1.5.3, is the safest version to update to. The researchers at Jetpack recommend updating to the latest version.
### Citations
#### Read the Jetpack vulnerability report:
Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3
#### Read What a SQL Injection Is
SQL Injection
