CVE-2021-25036

January 24, 2022

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

Summary:

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

Reference Links(if available):

  • https://plugins.trac.wordpress.org/changeset/2640944/all-in-one-seo-pack/trunk/app/Common/Api/Api.php
  • https://jetpack.com/2021/12/14/severe-vulnerabilities-fixed-in-all-in-one-seo-plugin-version-4-1-5-3/
  • https://wpscan.com/vulnerability/6de4a7de-6b71-4349-8e52-04c89c5e6d6c

  • CVSS Score (if available)

    v2: / MEDIUM

    v3: /

    Links to Exploits(if available)

  • Tags: , , , ,

    You may have missed

    CISA Logo

    CISA: Cisco Releases Security Advisories for Cisco Integrated Management Controller

    April 26, 2024
    CISA Logo

    CISA: CISA and Partners Release Advisory on Akira Ransomware

    April 26, 2024
    CISA Logo

    CISA: CISA Releases Four Industrial Control Systems Advisories

    April 26, 2024
    CISA Logo

    CISA: CISA Releases Three Industrial Control Systems Advisories

    April 26, 2024
    CISA Logo

    CISA: Oracle Releases Critical Patch Update Advisory for April 2024

    April 26, 2024