Two critical and high severity security vulnerabilities in the highly popular “All in One” SEO WordPress plugin exposed over 3 million websites to takeover attacks.
The security flaws discovered and reported by Automattic security researcher Marc Montpas are a critical Authenticated Privilege Escalation bug (CVE-2021-25036) and a high severity Authenticated SQL Injection (CVE-2021-25037).
The plugin’s developer released a security update to address both All in One bugs on December 7, 2021.
However, more than 820,000 sites using the plugin are yet to update their installation, according to download statistics for the last two weeks since the patch was released, and are still exposed to attacks.
Bijay Pokharel
Related posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.