HIGH🇬🇧 English

CVE-2021-24307

CVSS 8.8v3.1pub. 2021-05-24upd. 2024-11-21

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Aioseo All In One Seo

    APP
    Aioseo
    < 4.1.0.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEDeserialization
CWE
Referencje

Powiązane podatności

CVE-2021-25036HIGH8.8ten sam produkt

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was disc...

CVE-2025-2892MEDIUM6.4ten sam produkt

The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vuln...

CVE-2024-3368MEDIUM6.1ten sam produkt

The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields befor...

CVE-2024-3554MEDIUM6.4ten sam produkt

The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for Wor...

CVE-2023-0586MEDIUM6.4ten sam produkt

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple paramet...