Two serious vulnerabilities discovered in a popular WordPress SEO plug-in used by over 3 million website owners, according to security researchers. If left unpatched, the flaws could allow an attacker to exploit a privilege-escalation bug as well as a SQL-injection issue.

The two flaws are in All in One SEO, a WordPress plugin that was released in 2007 and is used by website owners to ensure their sites rank higher in search engines.

When used together, they can form an exploit chain that allows an attacker to take control of a website if the attacker has a website account. Which can be as simple as a subscriber account.

“WordPress websites by default allow any user on the web to create an account. By default, new accounts are ranked as ‘subscribers’ and do not have any privileges other than writing comments,” Sucuri’s researchers claim.

According to the researchers, these flaws allow subscribers to have more privileges than they intended to have. And when exploited together, the security flaws allow an attacker to take control of an unpatched WordPress website.

Vulnerabilities Analysis

During an internal audit of the All In One SEO plug-in, Marc Montpas, a security research engineer at Automattic, discovered the SQL injection vulnerability and privilege-escalation bug.

“If exploited, the SQL injection vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). The privilege-escalation bug we discovered may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites,” Montpas explains.

According to him, the researchers notified the plug-author in’s via email about the vulnerabilities. And the author recently released version 4.1.5.3 to address them.

Sucuri researchers investigated these flaws in depth and discovered that the first vulnerability. Which affects All in One SEO versions 4.0.0 and 4.1.5.2, can be exploited simply by changing a single character in a request to uppercase.

“This plug-in has access to a number of REST API endpoints but performs a permission check before executing any commands sent. This ensures that the user has proper permissions to instruct the plug-in to execute commands. However, All in One SEO did not account for the subtle fact. That WordPress treats these REST API routes as case-insensitive strings. Changing a single character to uppercase would bypass the authentication checks altogether,” the researchers say.

When exploited, this vulnerability can overwrite certain file

When exploited, this vulnerability can overwrite certain files within the WordPress file structure, giving any attacker backdoor access to the website and allowing them to elevate subscriber account privileges to admin.

The plug-in versions 4.1.3.1 and 4.1.5.2 contain the second vulnerability. The endpoint isn’t meant to be accessed by low-level accounts, but attackers can use the previous authenticated privilege escalation vulnerability to run SQL commands on the database, leaking sensitive data like user credentials and admin information.

“The appeal of WordPress is its flexibility in purpose as well as its ease of setup and use. But, just like any software, its developers. And those that make WordPress components, such as plug-ins and templates, will make mistakes. This leads to vulnerabilities being introduced in a user’s website. Because of this, it is important for users to look holistically at their WordPress environment and incorporate security at each component. This includes server, network and application layers,” According to Leo Pate, managing consultant at nVisium, an application security provider.

Mitigation

“While the requirements for an exploit chain do offer some level of immunity for most users of this plug-in. Website owners simply cannot rely on that as a form of protection. Every single plug-in vulnerability drives home the need for website owners to use a good security plug-in. Set up a web application firewall, and most importantly, to enable WordPress auto-updates for plug-ins, themes. And core, as well as ensuring their now-fully-up-to-date website backed up regularly”. According to Yehuda Rosen, a senior software engineer at nVisium, a provider of application security.

All sites updated to the latest patched versions of the plug-in, according to the researchers.

Rosen also recommends that website administrators protect and harden their sites to avoid having to clean up after a hack.

Rising Plug-In Menace

Wordfence Security, a security firm, discovered a massive wave of ongoing attacks. Against more than 1.6 million WordPress sites earlier this month. Over the course of 36 hours, more than 13.7 million different attack attempts made. All aimed at exploiting four different WordPress plug-ins and several Epsilon framework themes, according to the report.

Researchers from Wordfence warned in October. That a WordPress plug-in used by over 1 million websites was vulnerable to high-severity bugs.

Attackers could have used the vulnerabilities in the OptinMonster plug-in. Which helps customers create sales campaigns, to export sensitive data. And inject malicious code or JavaScript into all affected WordPress sites. (see: Over 1 Million sites are at risk of remote takeover due to a WordPress plugin vulnerability).

Again in October, reports came that a One of the most popular WordPress Cache plugins found at risk of security vulnerabilities. (see: Vulnerabilities in the Cache Plugin risks over 1 million sites).