WordPress: 800,000 websites compromisable by All in One SEO plugin

[German]The popular WordPress plugin All in One SEO has two vulnerabilities (CVE-2021-25036 and CVE-2021-25037), which make the corresponding installations vulnerable. Since the plugin is quite popular, you should immediately look to get an updated version. Otherwise, the WordPress instance will be hacked sooner or later.n sofort schauen, dass man eine aktualisierte Fassung erhält. Sonst wird die WordPress-Instanz früher oder später gehackt.


All in One SEO is a WordPress SEO plugin that was introduced in 2007. The idea behind the SEO stuff is to "set up" WordPress properly so that websites can rank better in search engines. So for every good WordPress user, some kind of SEO plugin belongs to it.

In the sense of "good WordPress user" is with me there rather hop and malt lost. I avoid this kind of plugins like the devil the holy water. Why? There are two reasons: If a website has crappy content, an SEO plugin is of little use – but if the content is good and possibly unique, the site is also found by search engines – I see in my blog posts. Secondly, with SEO plugins in the past again and again by weaknesses and malfunctions have attracted attention. Therefore, I drive in my blog the approach to be as sparing as possible with WordPress plugins.

Now I came across a post from the colleagues at Bleeping Computer that the WordPress plugin All in One SEO has two critical security vulnerabilities in older versions.  Automattic security researcher Marc Montpas discovered and then reported the vulnerabilities. The vulnerabilities are a critical Authenticated Privilege Escalation flaw (CVE-2021-25036) and a serious Authenticated SQL Injection vulnerability (CVE-2021-25037)

What makes these vulnerabilities so dangerous is that threat actors do need to be authenticated to successfully exploit the two vulnerabilities. However, an attacker only needs low privileges as a WordPress user role such as "Subscriber" to attempt an attack. So it is enough if they can register visitors of a WordPress site as readers and then log in to comment on published articles if necessary (I don't allow such things in my blogs for security reasons).

The CVE-2021-25036 vulnerability can be used to elevate privileges to allow remote code execution on vulnerable websites. This is likely to allow them to be taken over completely. The developers released version of the plugin with a security fix 14 days ago. So the vulnerabilities have been fixed in the meantime – but WordPress owners who rely on the plugin need to make sure that this version is installed. There are probably around 800,000 users who have not yet updated.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *