CVE-2021-25036

Опубликовано: 17 янв. 2022

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

Ссылки

https://jetpack.com/2021/12/14/severe-vulnerabilities-fixed-in-all-in-one-seo-plugin-version-4-1-5-3/
Exploit
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2640944/all-in-one-seo-pack/trunk/app/Common/Api/Api.php
Patch
Vendor Advisory
https://wpscan.com/vulnerability/6de4a7de-6b71-4349-8e52-04c89c5e6d6c
Exploit
Third Party Advisory
https://jetpack.com/2021/12/14/severe-vulnerabilities-fixed-in-all-in-one-seo-plugin-version-4-1-5-3/
Exploit
Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2640944/all-in-one-seo-pack/trunk/app/Common/Api/Api.php
Patch
Vendor Advisory
https://wpscan.com/vulnerability/6de4a7de-6b71-4349-8e52-04c89c5e6d6c
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:aioseo:all_in_one_seo:*:*:*:*:*:wordpress:*:*

Версия до 4.1.5.3 (исключая)

EPSS

Процентиль: 88%

0.03985

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-287

CWE-178

Связанные уязвимости

GHSA-cf7m-hm28-rpmp