‘Tis the Season for API Vulnerabilities: First Log4j, Now WordPress

Tomer Roizman, Security Researcher
Post Featured Image

The Holiday Season has not been kind to security professionals. Less than two weeks ago, the world was caught off guard by a Log4j vulnerability called Log4Shell. This week, a new vulnerability was disclosed in one of the most popular WordPress plugins.

Security researchers at Jetpack have recently disclosed two major vulnerabilities in All in One SEO for WordPress (AIOSEO) plugin’s REST API:

  • Privilege escalation in REST API 
    • Affected versions: Every version between 4.0.0 and 4.1.5.2 inclusively.
    • CVE-ID: CVE-2021-25036
    • CVSSv3.1: 9.9
    • CWSS: 92.1

  • Authenticated SQL injection
    • Affected versions: Every version between 4.1.3.1 and 4.1.5.2 inclusively.
    • CVE-ID: CVE-2021-25037
    • CVSSv3.1: 7.7
    • CWSS: 80.4

What is All in One SEO for WordPress?

AIOSEO is a WordPress plugin that helps website owners optimize their WordPress websites for search engines and social media.

SEO stands for “search engine optimization” and refers to the process of improving your site’s visibility on search engines. Plugins like AIOSEO help with SEO by adding meta tags, generating XML sitemaps, adding schema markups, and more.

Basically, the plugin leverages new APIs on the admin panel that allows the admin to perform actions that affect the website. 

What are the AIOSEO Vulnerabilities?

The first AIOSEO vulnerability is a privilege escalation that is due to broken authorization in the AIOSEO plugin’s REST API paths. This is caused by a casing mistake in the REST API.

When an authenticated user tries to access an API’s functionality, AIOSEO will check two things:

  • Is the user authenticated?
  • Is the user authorized to access the specific functionality they requested?

The second check can be bypassed using a single upper case letter, since it relies on the REST API route being requested to know which privilege checks to enforce on a given request. And because WordPress routes are case insensitive, the AIOSEO plugin’s code will bypass the check.

One of the APIs exposed by the AIOSEOs plugin is the route aioseo/v1/htaccess, which will allow the unauthorized user to bypass the .htaccess file on the WordPress server, and execute arbitrary code using various methods of htaccess web shells (https://github.com/wireghoul/htshells).

The second vulnerability is an authenticated SQL injection vulnerability that is exposed through the API. This vulnerability requires a privileged user — or the use of the first vulnerability /wp-json/aioseo/v1/objects which escapes the user’s input,  but does not escape quotes from the user’s input. 

The Noname API Security Platform can detect and prevent such issues using the anomaly detection module and specifically detecting the broken authorization mechanism being manipulated by the adversary.