800,000 WordPress sites still vulnerable to simple takeover attacks

WordPress logo
(Image credit: WordPress)

Despite two critical flaws in a popular WordPress plugin being patched weeks ago, hundreds of thousands of webmasters are yet to deploy the update, putting their sites at risk of takeover attacks.

The “All in One” SEO WordPress plugin was vulnerable to two flaws - CVE-2021-25036, which is a critical Authenticated Privilege Escalation flaw, and CVE-2021-25037, a high-severity Authenticated SQL Injection bug. 

In total, three million sites were vulnerable to the flaw. In the past two weeks, since the patch was issued by the plugin’s developers, more than two million plugins were updated, leaving some 820,000 still vulnerable. 

Updating the plugins fast

Even though the flaws require the attacker to be authenticated with WordPress, they only need low-level permissions, such as Subscriber, to work. Usually, a Subscriber can only post comments and edit their own profile, but with CVE-2021-25036, they can elevate their privileges and remotely execute code on vulnerable sites. 

Automattic security researcher Marc Montpas, who first spotted the flaws, says abusing these flaws on vulnerable sites is easy, as all the attacker needs to do is change “a single character to uppercase” to circumvent all privilege checks.

"This is particularly worrying because some of the plugin's endpoints are pretty sensitive. For example, the aioseo/v1/htaccess endpoint can rewrite a site's .htaccess with arbitrary content," he said. "An attacker could abuse this feature to hide .htaccess backdoors and execute malicious code on the server."

Webmasters using the All in One SEO WordPress plugin should make sure they update it to version 4.1.5.3. 

Serious flaws that come with WordPress plugins are a relatively common occurrence. For example, just a month ago, a vulnerability in the Starter Templates - Elementor, Gutenberg & Beaver Builder Templates plugin, allowed contributor-level users to completely overwrite any page on the site, and embed malicious JavaScript at will. In this case, more than a million sites were at risk.

The same month, the “Preview E-mails for WooCommerce” plugin was also found to hold a serious flaw, potentially allowing attackers complete site takeover. The plugin was used by more than 20,000 sites. 

  • You might also want to check out our list of the best firewalls right now

Via: Bleeping Computer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.