Description

Marc-Alexandre Montpas reported two privilege escalation vulnerabilities in the WordPress plugin All in One SEO Pack. If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk. If you have open registration, you are at risk, so you have to update the plugin now.

Remediation

Upgrade to the latest version of All in One SEO Pack (this problem was fixed in version 2.1.6).

References

All In One SEO Pack Release History

Related Vulnerabilities

Same origin method execution (SOME)

WordPress Plugin UserPro-Community and User Profile Multiple Vulnerabilities (5.1.1)

Java object deserialization of user-supplied data

WordPress Plugin MStore API-Create Native Android & iOS Apps On The Cloud Security Bypass (4.14.7)

WordPress Cross-Domain Flash Injection Vulnerability (0.70 - 3.6.1)

Severity

High

Classification

CWE-269 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Privilege Escalation