CVE-2021-25037: 
WordPress vulnerability analysis and mitigation

The All in One SEO WordPress plugin versions between 4.1.3.1 and 4.1.5.2 was affected by an authenticated SQL injection vulnerability (CVE-2021-25037). This security flaw was discovered during an internal audit by the Jetpack Scan team and was patched in version 4.1.5.3 released on December 7, 2021 (Jetpack Blog, Bleeping Computer).

The vulnerability exists in the PostsTerms::searchForObjects() method, accessible via the /wp-json/aioseo/v1/objects REST API route. The issue arose because the method only escaped user input using wpdb::esc_like() before appending it to an SQL query, which wasn't sufficient to prevent SQL injection attacks. The vulnerability has a CVSSv3.1 score of 7.7 (High) and is classified as CWE-89 (Jetpack Blog, WPScan).

If exploited, the SQL injection vulnerability could allow attackers to access privileged information from the affected site's database, including usernames and hashed passwords. While the vulnerable endpoint wasn't meant to be accessible to low-privileged users, it could be combined with a privilege escalation vulnerability (CVE-2021-25036) to escalate the attack (Jetpack Blog).

The vulnerability was patched in version 4.1.5.3 of the All in One SEO plugin. Website administrators running affected versions (4.1.3.1 to 4.1.5.2) are strongly advised to update to version 4.1.5.3 or later immediately. Additionally, implementing a comprehensive security solution that includes malicious file scanning and backups is recommended (Jetpack Blog).