Two critical and high severity security vulnerabilities in the highly popular “All in One” SEO WordPress plugin exposed over 3 million websites to takeover attacks.
The security flaws discovered and reported by Automattic security researcher Marc Montpas are a critical Authenticated Privilege Escalation bug (CVE-2021-25036) and a high severity Authenticated SQL Injection (CVE-2021-25037).
Over 800,000 vulnerable WordPress sites
The plugin’s developer released a security update to address both All in One bugs on December 7, 2021.
However, more than 820,000 sites using the plugin are yet to update their installation, according to download statistics for the last two weeks since