cbcvebase.
CVE-2021-24307
published 2021-05-24

CVE-2021-24307: The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings"…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
53.27%
98.9th percentile
The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
aioseoall_in_one_seo< 4.1.0.24.1.0.2
all_in_one_seo_teamall_in_one_seo_best_wordpress_seo_plugin_easily_improve_your_seo_rankings>= 4.1.0.2 < 4.1.0.24.1.0.2

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.