|Category:||Web application abuses|
|Title:||WordPress All in One SEO Pack Plugin < 22.214.171.124 RCE Vulnerability|
|Summary:||The WordPress plugin All in One SEO Pack is prone to a remote; code execution (RCE) vulnerability.|
The WordPress plugin All in One SEO Pack is prone to a remote
code execution (RCE) vulnerability.
The All in One SEO - Best WordPress SEO Plugin enables
authenticated users with 'aioseo_tools_settings' privilege (most of the time admin) to execute
arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a
backup .ini file in the section 'Tool > Import/Export'. However, the plugin attempts to
unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be
used to craft a gadget chain and thus trigger system command execution.
An authenticated attacker might execute arbitrary code.
WordPress All in One SEO Pack plugin prior to version 126.96.36.199.
Update to version 188.8.131.52 or later.
Common Vulnerability Exposure (CVE) ID: CVE-2021-24307|
|Copyright||Copyright (C) 2021 Greenbone Networks GmbH|
|This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.