CVE-2021-25036 Information

Description

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue which was discovered during an internal audit by the Jetpack Scan team and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts like subscribers to perform remote code execution on affected sites.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://plugins.trac.wordpress.org/changeset/2640944/all-in-one-seo-pack/trunk/app/Common/Api/Api.php https://jetpack.com/2021/12/14/severe-vulnerabilities-fixed-in-all-in-one-seo-plugin-version-4-1-5-3/ https://wpscan.com/vulnerability/6de4a7de-6b71-4349-8e52-04c89c5e6d6c

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8