800,000 WordPress pages are still vulnerable to attack because users are forgetting to patch their WordPress sites.
Remember that weeks ago two critical bugs were found in a popular WordPress plugin and although they were patched weeks ago, Hundreds of thousands of users have yet to deploy the update, which puts your sites at risk.
El plugin “All in One” SEO WordPress era vulnerable a dos fallos: CVE-2021-25036, which is a critical authenticated privilege escalation flaw, and CVE-2021-25037, an authenticated SQL injection high severity bug.
Wix’s controversial campaign against WordPress
Missing people to update the patch
In total, it was estimated that three million sites were vulnerable to error. In the last two weeks, since the plugin developers released the patch, more than two million plugins have been updated, resulting in some 820,000 remain vulnerable.
Although the flaws require the attacker to authenticate with WordPress, they only need low-level permissions, such as Subscriber, to function. Typically a subscriber can only post comments and edit their own profile, but with CVE-2021-25036, they can elevate their privileges and remotely execute code on vulnerable websites.
Automattic security researcher Marc Montpas, who was the first to spot the flaws, says it’s easy to take advantage of these bugs, as all the attacker has to do is change “a single character to uppercase” to bypass all of them. privilege checks.
The website administrators who use the All in One SEO WordPress plugin should be updated to version 4.1.5.3, of December 14, 2021, to avoid being vulnerable to attacks.