The plugin's developer released a security update to address both All in One bugs on December 7, 2021.

However, more than 820,000 sites using the plugin are yet to update their installation, according to download statistics for the last two weeks since the patch was released, and are still exposed to attacks. 

What makes these flaws highly dangerous is that, even though successfully exploiting the two vulnerabilities requires threat actors to be authenticated, they only need low-level permissions such as Subscriber to abuse them in attacks.

Subscriber is a default WordPress user role (just as Contributor, Author, Editor, and Administrator), commonly enabled to allow registered users to comment on articles published on WordPress sites.

Although subscribers are typically only able to edit their own profile besides posting comments, in this case, they can exploit CVE-2021-25036 to elevate their privileges and gain remote code execution on vulnerable sites and, likely, completely take them over.

WordPress admins urged to update ASAP

As Montpas revealed, escalating privileges by abusing CVE-2021-25036 is an easy task on sites running an unpatched All in One SEO version by "changing a single character to uppercase" to bypass all implemented privilege checks.

"This is particularly worrying because some of the plugin's endpoints are pretty sensitive. For example, the aioseo/v1/htaccess endpoint can rewrite a site's .htaccess with arbitrary content," Montpas explained.

"An attacker could abuse this feature to hide .htaccess backdoors and execute malicious code on the server."

WordPress admins still using All In One SEO versions affected by these severe vulnerabilities (between 4.0.0 and 4.1.5.2) who haven't already installed the 4.1.5.3 patch are advised to do it immediately.

Improve Wordpress Site Speed Score

The use of WordPress plugins adds a great deal of unnecessary weight to your website and could expose your to vulnerabilities, like the one above. Google announced that it will be placing great emphasis at the web page load speed for ranking web sites in 2022. Compared to custom built HTML sites, Wordpress is notorious to serve pages slow. You could check your web site speed using Google's own recommendation, the PageSpeed Insights.

How Wordpress Site Socre Changed

Google Page Speed Insights
Before Google Analytic Removal
Google Page Speed Insights
After Google Analytic Removal

There are about 15 different ways to improve your site page speed score. The example above illustrates what happens after we've removed Google Analytics (which added about 64KB of weight to each page) from our own PrivateAnalytix web site, and replaced it with a much lighter <1KB PrivateAnalytix tracking pixel.

This change can be implemented in less than 2 minutes and it could be tested alongside Google Analytics. The PrivateAnalytix tracking pixel provides not only a tangible speed advantage, but allows you to see more precise analytics (not blocked by sites and AD blockers) and lets you remove the highly intrusive cookie consents from your pages.

Try us free for 7 days and see how your web site performance score stacks up against your current analytics provider. You will not be disappointed.