An advisory regarding CVE-2023-0585 and CVE-2023-0586 – two vulnerabilities found in the All In One SEO (AIOSEO) WordPress plugin – has been published by NVD (the United States National Vulnerability Database). All versions of the plugin up to and including 4.2.9 are vulnerable to stored XSS attacks (cross-site scripting) because of insufficient security checks of unwanted inputs.
With over three million active installations of the All In One SEO plugin, it’s important to mention that the vulnerabilities were assigned a medium-level severity score of 4.4 and 6.4.
What are the CVE-2023-0585 and CVE-2023-0586 vulnerabilities?
CVE-2023-0585
A vulnerability that arises due to the failure to properly sanitize inputs. This results in a limited ability to prevent malicious attackers from uploading malicious scripts, due to insufficient filtering. This is what NVD refers to when it points to “insufficient input sanitization and output escaping”.
Thanks to this issue, an authenticated attacker with an administrator role (or above) might be able to inject arbitrary web scripts into pages, thus maliciously executing whenever a user accesses an injected page. Having said that, one of the reasons for the relatively low severity of this issue is due to the fact that in order to perpetrate this attack, the attacker must first acquire administrator privileges or higher.
CVE-2023-0586
Similar to the above vulnerability, this one is also a medium-level threat vulnerability but it is still assigned a higher vulnerability score of 6.4. The main reason for this is because of a difference in the attacker’s privileges. In this case, the attacker would need to assume just a basic contributor level of website access privilege.
With a contributor-level role (or higher), an attacker would acquire the ability to create content (but not necessarily publish it), by injecting arbitrary web scripts to a page or more which will then execute whenever users access the injected page.
What are stored Cross-Site Scripting (XSS) attacks?
XSS is a form of exploitation of an injection in a user’s browser, which involves the execution of malicious scripts that can later lead to access, a user’s sessions, or cookies – and could even lead to a full site takeover.
This means that any form of input to the website (an image upload form, a contact form, or any other input that allows uploading or making submissions) will be used by hackers to exploit XSS attacks.
There are different ways to exploit an XSS attack, two of the most common forms of Cross-Site Scripting would be reflected & stored Cross-Site Scripting. A stored XSS attack is when the attacker is able to plant malicious scripts onto the vulnerable site itself.
Reflected XSS attacks, on the other hand, rely mostly on tricking a user into clicking a script that leads to the vulnerable site, thus reflecting the attack back at that same user.
Fixing CVE-2023-0585 and CVE-2023-0586
The security fix for these vulnerabilities is included in the AIOSEO plugin version 4.3.0, as additional “security hardening” in the official AIOSEO changelog. Organizations using the All in One SEO plugin should update to this version in order to avoid being on the wrong end of this vulnerability.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- VulnRX – vulnerability fix database
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- Threat intelligence frameworks in 2022
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
