CVE-2021-25036: 
WordPress vulnerability analysis and mitigation

The All in One SEO WordPress plugin before version 4.1.5.3 was affected by a critical Privilege Escalation vulnerability (CVE-2021-25036). This security flaw was discovered during an internal audit by the Jetpack Scan team and could allow attackers with low-privileged accounts, such as subscribers, to access protected REST API endpoints they shouldn't have access to (Jetpack Blog, WPScan).

The vulnerability existed in the privilege checks applied by All In One SEO to secure REST API endpoints. The Api::validateAccess() method relied on the REST API route being requested to determine privilege checks, but failed to account for WordPress treating REST API routes as case-insensitive strings. This meant that simply changing a single character to uppercase would completely bypass the privilege checks routine (Jetpack Blog).

The vulnerability could enable users with low-privileged accounts to perform remote code execution on affected sites. For example, attackers could abuse the aioseo/v1/htaccess endpoint to rewrite a site's .htaccess with arbitrary content and execute malicious code on the server (Jetpack Blog).

The vulnerability was patched in version 4.1.5.3 of the All in One SEO plugin. Website administrators running versions between 4.0.0 and 4.1.5.2 were strongly advised to update to the latest version immediately. Two weeks after the patch was released, over 820,000 sites were still running vulnerable versions of the plugin (Bleeping Computer).