"Flaws in WordPress Plugin Put 3 Million Websites at Risk"

Severe vulnerabilities have been discovered in the All In One SEO WordPress plugin, affecting over 3 million websites. The vulnerabilities could allow an attacker to take advantage of a SQL injection issue and a privilege-escalation bug. The two vulnerabilities found in the plugin, when paired, can become an exploit chain that enables an attacker to take over a website as long as they have an account. WordPress websites allow any user to create an account by default. A new account is automatically ranked as a subscriber that can only write comments. The exploitation of the vulnerabilities enables subscriber accounts to have more privileges than just writing comments, and when abused together, the flaws allow an attacker to gain control over an unpatched WordPress website. According to Marc Montpas, a security research engineer at Automattic who first detected the vulnerabilities during an internal audit of the All In One SEO plugin, the SQL injection vulnerability could grant attackers access to privileged information contained by the affected site's database, such as usernames and hashed passwords. The privilege-escalation bug could give malicious actors access to protected REST API endpoints, thus enabling users with low-privileged accounts to perform remote code execution (RCE) on impacted websites. This article continues to discuss the discovery, analysis, and mitigation of the critical vulnerabilities in the All In One SEO plugin, as well as the rise in WordPress plugin exploitation. 

BankInfoSecurity reports "Flaws in WordPress Plugin Put 3 Million Websites at Risk"