Critical vulnerability in All In One SEO WordPress plugin affects 3 million websites

Cybersecurity specialists report the detection of a critical vulnerability in All In One SEO, one of the most popular plugins in WordPress, installed on more than 3 million websites operated by this content management system (CMS). The problem was identified during an internal audit, in conjunction with other flaws in popular plugins.

As some users will remember, All In One SEO is a plugin designed for WordPress that helps optimize the contents of the website in order that it improves its positioning in the search results. This plugin is designed for any website that employs SEO strategies.

The problem detected can be divided into two sections dependent on each other. The first is a flaw that resides directly in WordPress’ REST API function and its successful exploitation would allow threat actors to access information such as least-privilege usernames and passwords on the affected system.

According to the researchers, that flaw exists due to a weak endpoint in the plugin and could generate severe security problems for the affected websites.

On the other hand, the second flaw is an authenticated SQL injection, a well-known and dangerous hacking technique that allows threat actors to read, edit and even delete the databases of the affected website.

As mentioned above, All In One SEO is employed by over 3 million websites in WordPress, so the data of an exponentially larger number of users could be affected.

The security issues were identified in early December, so All In One SEO announced the release of a new version with the necessary fixes. The update is now ready, so users are encouraged to install version 4.1.5.3 to mitigate the risk of exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.