threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://mkto-sj130112.com/MDAxLVZKWC0xMDQAAAGCEt0J8LI9v8JxgYvqLgXl6APRuu1d1YGIV5XGSM6TGKnoLOOfGOO5e-0sfujfZbJBhliqJek=
Effective URL: https://threatpost.com/all-in-one-seo-plugin-bug-threatens-3m-wordpress-websites-takeovers/177240/?utm_source=marketo&u...
Submission: On January 19 via api from US — Scanned from DE
Effective URL: https://threatpost.com/all-in-one-seo-plugin-bug-threatens-3m-wordpress-websites-takeovers/177240/?utm_source=marketo&u...
Submission: On January 19 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /all-in-one-seo-plugin-bug-threatens-3m-wordpress-websites-takeovers/177240/?utm_source=marketo&utm_medium=email&utm_campaign=newsletter-january-2022&mkt_tok=MDAxLVZKWC0xMDQAAAGCEt0J8JYtynGAUllhvZMVBVkXjJLyjm3jS0-MGkk8dKa3gKF_LPVNksEk4qY2WY-uCsZLkC4N1fBPBvsr_En9zNuIjiCkc4z8YWGVt9mden4#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5"
action="/all-in-one-seo-plugin-bug-threatens-3m-wordpress-websites-takeovers/177240/?utm_source=marketo&utm_medium=email&utm_campaign=newsletter-january-2022&mkt_tok=MDAxLVZKWC0xMDQAAAGCEt0J8JYtynGAUllhvZMVBVkXjJLyjm3jS0-MGkk8dKa3gKF_LPVNksEk4qY2WY-uCsZLkC4N1fBPBvsr_En9zNuIjiCkc4z8YWGVt9mden4#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Phone</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177240" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="6f03fcb7f8"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="Ai4UvKftzgwk7U1l9U6C0bkfc" name="qlCGCL18vkhzJFGV6uvIlfhIL">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1642633456785">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Phone
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Critical Apache HTTPD Server Bugs Could Lead to RCE, DoSPrevious article
* PYSA Emerges as Top Ransomware Actor in NovemberNext article
ALL IN ONE SEO PLUGIN BUG THREATENS 3M WEBSITES WITH TAKEOVERS
Author: Tara Seals
December 22, 2021 1:24 pm
3 minute read
Write a comment
Share this article:
*
*
A critical privilege-escalation vulnerability could lead to backdoors for admin
access nesting in web servers.
A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair
of security vulnerabilities that, when combined into an exploit chain, could
leave website owners open to site takeover. The plugin is used by more than 3
million websites.
An attacker with an account with the site – such as a subscriber, shopping
account holder or member – can take advantage of the holes, which are a
privilege-escalation bug and an SQL-injection problem, according to researchers
at Sucuri.
“WordPress websites by default allow any user on the web to create an account,”
researchers said in a posting on Wednesday. “By default, new accounts are ranked
as subscriber and do not have any privileges other than writing comments.
However, certain vulnerabilities, such as the ones just discovered, allow these
subscriber users to have vastly more privileges than they were intended to
have.”
The pair is ripe for easy exploitation, according to Sucuri, so users should
upgrade to the patched version, v. 4.1.5.3. Marc Montpas, a security researcher
at Automattic, was credited with finding the bugs.
PRIVILEGE ESCALATION AND SQL INJECTION
The more severe issue out of the two bugs is the privilege-escalation problem,
which affects versions 4.0.0 and 4.1.5.2 of All in One SEO. It carries a
critical rating of 9.9 out of 10 on the CVSS vulnerability-severity scale, due
to its extreme ease of exploitation and the fact that it can be used to
establish a backdoor on the web server.
The vulnerability “can be exploited by simply changing a single character of a
request to upper-case,” researchers at Sucuri explained.
Essentially, the plugin can send commands to various REST API endpoints, and it
performs a permissions check to make sure no one’s doing anything they’re not
allowed to do. However, the REST API routes are case-sensitive, so an attacker
need only alter the case of one character to bypass the authentication checks,
according to the writeup.
“When exploited, this vulnerability has the capability to overwrite certain
files within the WordPress file structure, effectively giving backdoor access to
any attacker,” Sucuri researchers said. “This would allow a takeover of the
website, and could elevate the privileges of subscriber accounts into admins.”
The second bug carries a high-severity CVSS score of 7.7 and affects versions
4.1.3.1 and 4.1.5.2 of All in One SEO.
Specifically, the issue lies in an API endpoint called
“/wp-json/aioseo/v1/objects.” If attackers exploited the previous vulnerability
to elevate their privileges to admin level, they would gain the ability to
access the endpoint, and from there be able to send malicious SQL commands to
the back-end database to retrieve user credentials, admin information and other
sensitive data, according to Sucuri.
All in One SEO users should update to the patched version to be safe,
researchers said. Other defensive steps include:
1. Reviewing the administrator users in the system and removing any suspect
ones;
2. Changing all administrator account passwords; and
3. Adding additional hardening to the administrator panel.
PLUGIN PARADISE FOR WEBSITE HACKERS
WordPress plugins continue to be an attractive path to site compromise for
cyberattackers, researchers noted. For instance, earlier in December, an active
attack swelled against more than 1.6 million WordPress sites, with researchers
spotting tens of millions of attempts to exploit four different plugins and
several Epsilon Framework themes.
“WordPress plugins continue to be a major risk to any web application, making
them a regular target for attackers,” Uriel Maimon, senior director of emerging
technologies at PerimeterX, said via email. “Shadow code introduced via
third-party plugins and frameworks vastly expands the attack surface for
websites.”
The warning comes as new bugs continue to crop up. Earlier this month, for
instance, the plugin “Variation Swatches for WooCommerce,” installed across
80,000 WordPress-powered retail sites, was found to contain a stored cross-site
scripting (XSS) security vulnerability that could allow cyberattackers to inject
malicious web scripts and take over sites.
In October, two high-severity vulnerabilities in Post Grid, a WordPress plugin
with more than 60,000 installations, were found to open the door to site
takeovers, according to researchers. To boot, nearly identical bugs are also
found in Post Grid’s sister plug-in, Team Showcase, which has 6,000
installations.
Also in October, a WordPress plugin bug was discovered in the Hashthemes Demo
Importer offering, which allowed users with simple subscriber permissions to
wipe sites of all content.
“Website owners need to be vigilant about third-party plugins and frameworks and
stay on top of security updates,” Maimon said. “They should secure their
websites using web application firewalls, as well as client-side visibility
solutions that can reveal the presence of malicious code on their sites.”
Check out our free upcoming live and on-demand online town halls – unique,
dynamic discussions with cybersecurity experts and the Threatpost community.
Write a comment
Share this article:
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
BOX 2FA BYPASS OPENS USER ACCOUNTS TO ATTACK
A security bug in the file-sharing cloud app could have allowed attackers using
stolen credentials to skate by one-time SMS code verification requirements.
January 19, 2022
BEIJING OLYMPICS APP FLAWS ALLOW MAN-IN-THE-MIDDLE ATTACKS
Attackers can access audio and files uploaded to the MY2022 mobile app required
for use by all winter games attendees – including personal health details.
January 19, 2022
CLONED DEPT. OF LABOR SITE HAWKS FAKE GOVERNMENT CONTRACTS
A well-crafted but fake government procurement portal offers the opportunity to
submit a bid for lucrative government projects — but harvests credentials
instead.
January 19, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* THE LOG4J VULNERABILITY PUTS PRESSURE ON THE SECURITY WORLD
January 18, 2022
* REAL BIG PHISH: MOBILE PHISHING & MANAGING USER FALLIBILITY
January 14, 2022
* HERE’S REALLY HOW TO DO ZERO-TRUST SECURITY
January 11, 2022
1
* WHAT THE RISE IN CYBER-RECON MEANS FOR YOUR SECURITY STRATEGY
December 30, 2021
* THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS
ACCOUNT FRAUD
December 29, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
1.8M+ attacks, against half of all corporate networks, are attempting to exploit
#Log4Shell, including with a new r… https://t.co/dDky1faadm
1 month ago
Follow @threatpost
NEXT 00:00 01:29 360p 720p HD 1080p HD Auto (360p) About Connatix V146566 Closed
Captions About Connatix V146566 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE