Jetpack security researchers discovered two serious vulnerabilities in the all-in-one SEO plugin. These vulnerabilities may allow hackers to access usernames and passwords and perform remote code execution attacks.
These vulnerabilities depend on each other to succeed. The first is called a privilege escalation attack, which allows users with low-level website access rights (such as subscribers) to increase their privilege level to users with more access rights (such as website administrators).
Jetpack security researchers described the vulnerability as serious and warned of the following consequences:
advertise
Keep reading below
“If exploited, SQL injection vulnerabilities could allow attackers to access privileged information (for example, usernames and hashed passwords) in the affected site’s database.”
Authenticated privilege escalation
One of the vulnerabilities is the use of the Authenticated Privilege Escalation vulnerability of the WordPress REST API, allowing attackers to access usernames and passwords.
The REST API is a way for plugin developers to interact with the WordPress installation in a secure manner to enable features that do not compromise security.
This vulnerability exploits the WordPress REST API endpoint (representing the URL of the post, etc.). Attacks on the REST API are increasingly becoming a weakness in WordPress security.
advertise
Keep reading below
But this is not the fault of WordPress, because the REST API is designed with security in mind.
If the finger must be pointed, the fault lies entirely with the plug-in.
In the all-in-one SEO plugin, the problem lies in the security check, which verifies that the user accessing the API endpoint has the correct authorization credentials.
According to Jetpack:
“The permission check used by All In One SEO to protect REST API endpoints contains a very subtle error that may grant users with low-privileged accounts (such as subscribers) access to each endpoint registered by the plugin.
…Since it does not take into account the fact that WordPress treats REST API routing as a case-insensitive string, changing a single character to uppercase will completely bypass the permission check routine. “
Hmm…right?
Authenticated SQL injection
The second vulnerability is authenticated SQL injection. This relies on the attacker first having some user credentials, even as low as the credentials of website subscribers.
SQL injection is the use of a series of unexpected codes or characters to take advantage of input, and then enable exploits, such as providing access permissions.
Non-profit Open Web Application Security Project (OWASP) site Define an SQL injection like this:
- “Unexpected data entered the program from an untrusted source.
- The data is used to dynamically construct SQL queries”
Jetpack pointed out that the privilege escalation vulnerability allows an attacker to subsequently launch an Authenticated SQL Injection attack.
advertise
Keep reading below
“Although this endpoint does not mean that users with low-privileged accounts can access it, the above-mentioned privilege escalation attack vector makes it possible for them to abuse this vulnerability.”
Recommend to update SEO plugin
This vulnerability affects versions 4.0.0 to 4.1.5.2. The latest version 4.1.5.3 at this time is the safest update version. Jetpack’s security researchers recommend updating to the latest version.
Citation
Read the Jetpack vulnerability report:
Critical vulnerabilities fixed in all-in-one SEO plugin version 4.1.5.3
