CVE-2021-25037 Information

Description

The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue which was discovered during an internal audit by the Jetpack Scan team and could grant attackers access to privileged information from the affected site’s database (e.g. usernames and hashed passwords).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://jetpack.com/2021/12/14/severe-vulnerabilities-fixed-in-all-in-one-seo-plugin-version-4-1-5-3/ https://wpscan.com/vulnerability/4cd2a57b-3e1a-4acf-aecb-201ed9f4ee6d https://plugins.trac.wordpress.org/changeset/2640944/all-in-one-seo-pack/trunk/app/Common/Api/PostsTerms.php

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5