All In One SEO Vulnerability Affects +3 Million Sites

Security researchers at Jetpack discovered two serious vulnerabilities in the All In One SEO Plugin. The vulnerabilities could allow a hacker to access usernames and passwords and also perform remote code execution exploits.

The vulnerabilities are dependent on each other in order to be successful. The first one is called a Privilege Escalation Attack, which allows a user with a low level of website access privilege (like a subscriber) to raise their privilege level to one with more access privileges (like a website administrator).

The security researchers at Jetpack describe the vulnerability as severe and warn of the following consequences:

“If exploited, the SQL Injection vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).”

Authenticated Privilege Escalation

One of the exploits is an Authenticated Privilege Escalation vulnerability that exploits the WordPress REST API, allowing an attacker to access usernames and passwords.

The REST API is a way for plugin developers to interact with the WordPress installation in a secure manner to enable functionalities that do not compromise security.

This vulnerability exploits the WordPress REST API endpoints (URLs representing posts, etc.). Attacks on the REST API are increasingly a weak point in WordPress security.

But it’s not the fault of WordPress because the REST API is designed with security in mind.

The fault, if fingers must be pointed, lies entirely with the plugins.

In the All In One SEO plugin the problem was in the security checks that verify if a user accessing an API endpoint had the right privilege credentials.

According to Jetpack:

“The privilege checks applied by All In One SEO to secure REST API endpoints contained a very subtle bug that could’ve granted users with low-privileged accounts (like subscribers) access to every single endpoint the plugin registers.

…Since it didn’t account for the fact that WordPress treats REST API routes as case-insensitive strings, changing a single character to uppercase would completely bypass the privilege checks routine.”

Hmm… Right?

Authenticated SQL Injection

The second exploit is an Authenticated SQL Injection. This relies on an attacker first having some user credentials, even one as low as a website subscriber.

A SQL injection is the exploitation of an input with an unexpected series of code or characters which then enables the exploit, like providing access.

The non-profit Open Web Application Security Project (OWASP) site defines a SQL Injection like this:

  1. “An unintended data enters a program from an untrusted source.
  2. The data is used to dynamically construct a SQL query”

Jetpack notes that the privilege escalation vulnerability allows an attacker to then mount the Authenticated SQL Injection attack.

“While this endpoint wasn’t meant to be accessible to users with low-privileged accounts, the aforementioned privilege escalation attack vector made it possible for them to abuse this vulnerability.”

Updating SEO Plugin Recommended

This vulnerability affects versions 4.0.0 through 4.1.5.2. The latest version at this time, 4.1.5.3 is the safest version to update to. The security researchers at Jetpack recommend updating to the latest version.

Citations

Read the Jetpack vulnerability report:

Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

Read What a SQL Injection Is

SQL Injection