RSS   Vulnerabilities for 'All in one seo'   RSS

2022-01-17
 
CVE-2021-25036

CWE-287
 

 
The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn??�??�??t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

 
 
CVE-2021-25037

CWE-89
 

 
The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site�??s database (e.g., usernames and hashed passwords).

 
2021-05-24
 
CVE-2021-24307

CWE-94
 

 
The All in One SEO �?? Best WordPress SEO Plugin �?? Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

 


Copyright 2024, cxsecurity.com

 

Back to Top