Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.
A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites.
An attacker with an account with the site – such as a subscriber, shopping account holder or member – can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri.
Infosec Insiders Newsletter
“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.”
 
The pair is ripe for easy exploitation, according to Sucuri, so users should upgrade to the patched version, v. 4.1.5.3. Security researcher at Automattic Marc Montpas was credited with finding the bugs.
The more severe issue out of the two bugs is the privilege-escalation problem, which affects versions 4.0.0 and 4.1.5.2 of All in One SEO. It carries a critical rating of 9.9 out of 10 on the CVSS vulnerability-severity scale, due to its extreme ease of exploitation and the fact that it can be used to establish a backdoor on the web server.
The vulnerability “can be exploited by simply changing a single character of a request to upper-case,” researchers at Sucuri explained.
Essentially, the plugin can send commands to various REST API endpoints, and it performs a permissions check to make sure no one’s doing anything they’re not allowed to do. However, the REST API routes are case-sensitive, so an attacker need only alter the case of one character to bypass the authentication checks, according to the writeup.
“When exploited, this vulnerability has the capability to overwrite certain files within the WordPress file structure, effectively giving backdoor access to any attacker,” Sucuri researchers said. “This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.”
The second bug carries a high-severity CVSS score of 7.7 and affects versions 4.1.3.1 and 4.1.5.2 of All in One SEO.
Specifically, the issue lies in an API endpoint called “/wp-json/aioseo/v1/objects.” If attackers exploited the previous vulnerability to elevate their privileges to admin-level, they would gain the ability to access the endpoint, and from there be able to send malicious SQL commands to the back-end database to retrieve user credentials, admin information and other sensitive data, according to Sucuri.
All in One SEO users should update to the patched version to be safe, researchers said. Other defensive steps include:
WordPress plugins continue to be an attractive path to site compromise for cyberattackers, researchers noted. For instance, earlier in December, an active attack swelled against more than 1.6 million WordPress sites, with researchers spotting tens of millions of attempts to exploit four different plugins and several Epsilon Framework themes.
“WordPress plugins continue to be a major risk to any web application, making them a regular target for attackers,” Uriel Maimon, senior director of emerging technologies at PerimeterX, said via email. “Shadow code introduced via third-party plugins and frameworks vastly expands the attack surface for websites.”
The warning comes as new bugs continue to crop up. Earlier this month for instance, the plugin “Variation Swatches for WooCommerce,” installed across 80,000 WordPress-powered retail sites, was found to contain a stored cross-site scripting (XSS) security vulnerability that could allow cyberattackers to inject malicious web scripts and take over sites.
In October, two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, were found to open the door to site takeovers, according to researchers. To boot, nearly identical bugs are also found in Post Grid’s sister plug-in, Team Showcase, which has 6,000 installations.
Also in October, a WordPress plugin bug was discovered in the Hashthemes Demo Importer offering, which allowed users with simple subscriber permissions to wipe sites of all content.
“Website owners need to be vigilant about third-party plugins and frameworks and stay on top of security updates,” Maimon said. “They should secure their websites using web application firewalls, as well as client-side visibility solutions that can reveal the presence of malicious code on their sites.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
 
Share this article:
Don’t freak: It’s got nothing to do with Log4Shell, except it may be just as far-reaching as Log4j, given HTTPD’s tendency to tiptoe into software projects.
Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address and launch a DoS attack.
There are 17,000 unpatched Log4j packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from Log4Shell exploits.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
6 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source