CVE-2021-24307

CVE-2021-24307: All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize

Vendor All In One Seo Team

Product All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings

Weakness CWE-502 · Unsafe deserialization

Published May 24, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.

Key dates

02Disclosure timeline

May 24, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24307 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

CVE-2021-24307: All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize

01Description

02Disclosure timeline

03References

04Related CVE