CyberSec.Space Logo
Back to CVE Browser

CVE-2021-24307

HIGH
8.8
CVSS Severity Score
EPSS Score0.1570%
EPSS Percentile15.40th
PublishedMay 24, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

Affected Platforms (CPE)

📦
Aioseo

All In One Seo

< 4.1.0.2

References & Advisories

🔗 https://aioseo.com/changelog/
🔗 https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1
🔗 https://aioseo.com/changelog/
🔗 https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1

Related Vulnerabilities

CVE-2021-250368.8

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an int...

CVE-2021-250376.5

The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered durin...

CVE-2013-59886.1

A Cross-site Scripting (XSS) vulnerability exists in the All in One SEO Pack plugin before 2.0.3.1 for WordPress via the Search pa...

CVE-2019-165205.4

The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper e...