// For flags

CVE-2021-24307

All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings versiones anteriores a 4.1.0.2 permite a usuarios autenticados con el privilegio "aioseo_tools_settings" (la mayoría de las veces administrador) ejecutar código arbitrario en el host subyacente.&#xa0;Los usuarios pueden restaurar la configuración del plugin al cargar un archivo .ini de respaldo en la sección "Tool ) Import/Export".&#xa0;Sin embargo, el plugin intenta anular la serialización de los valores del archivo .ini.&#xa0;Además, el plugin incorpora la biblioteca Monolog que puede ser usada para diseñar una cadena de dispositivos y, por lo tanto, desencadenar una ejecución de comandos del sistema

*Credits: Vincent MICHEL
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-14 CVE Reserved
  • 2021-05-09 CVE Published
  • 2022-01-02 First Exploit
  • 2024-04-15 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Aioseo
Search vendor "Aioseo"
 All In One Seo
Search vendor "Aioseo" for product "All In One Seo"
 < 4.1.0.2
Search vendor "Aioseo" for product "All In One Seo" and version " < 4.1.0.2"
wordpress
Affected