CVE-2021-24307 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2021-24307?

CVE-2021-24307 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated WordPress administrators (or users with 'aioseo_tools_settings' privilege) to execute arbitrary code on the server by uploading a malicious .ini backup file. The plugin's insecure deserialization of .ini file values combined with the Monolog library creates a gadget chain for remote code execution. This affects All in One SEO plugin installations before version 4.1.0.2.

📋 TL;DR

This vulnerability allows authenticated WordPress administrators (or users with 'aioseo_tools_settings' privilege) to execute arbitrary code on the server by uploading a malicious .ini backup file. The plugin's insecure deserialization of .ini file values combined with the Monolog library creates a gadget chain for remote code execution. This affects All in One SEO plugin installations before version 4.1.0.2.

💻 Affected Systems

Products:

All in One SEO (AIOSEO) WordPress Plugin

Versions: All versions before 4.1.0.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with 'aioseo_tools_settings' capability (typically admin users).

📦 What is this software?

All In One Seo by Aioseo

View all CVEs affecting All In One Seo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attacker to execute arbitrary system commands, install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Attacker gains shell access to the web server, potentially compromising the entire WordPress installation and associated databases.

🟢

If Mitigated

Limited to authenticated admin users only, reducing attack surface but still dangerous if admin credentials are compromised.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires admin-level access and knowledge of gadget chain construction using Monolog library.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0.2

Vendor Advisory: https://aioseo.com/changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'All in One SEO' and click 'Update Now'. 4. Verify version is 4.1.0.2 or later.

🔧 Temporary Workarounds

Disable Import/Export Feature

all

Remove access to the vulnerable import/export functionality by restricting user capabilities.

Add to WordPress theme functions.php or custom plugin: remove_cap('aioseo_tools_settings');

File Upload Restriction

linux

Block .ini file uploads through web server configuration.

For Apache (.htaccess): <FilesMatch "\.ini$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
For Nginx: location ~*\.ini$ { deny all; }

🧯 If You Can't Patch

Restrict admin access to trusted users only with strong authentication
Implement web application firewall (WAF) rules to block .ini file uploads and suspicious POST requests to AIOSEO endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > All in One SEO > Version. If version is below 4.1.0.2, system is vulnerable.

Check Version:

wp plugin list --name="all-in-one-seo-pack" --field=version

Verify Fix Applied:

Confirm plugin version is 4.1.0.2 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-admin/admin.php?page=aioseo-tools with .ini file uploads
Unusual PHP process execution from web server user
Monolog library errors or warnings

Network Indicators:

HTTP POST requests containing serialized data to AIOSEO endpoints
Unexpected outbound connections from web server

SIEM Query:

source="web_server_logs" AND (uri="/wp-admin/admin.php" AND query="page=aioseo-tools" AND method="POST") AND (user_agent CONTAINS "curl" OR user_agent CONTAINS "wget" OR file_extension=".ini")

📊 Metadata

CVE ID: CVE-2021-24307

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 24, 2021

Last Updated: November 21, 2024

🔗 References

https://aioseo.com/changelog/ Release Notes,Vendor Advisory
https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1 Exploit,Third Party Advisory
https://aioseo.com/changelog/ Release Notes,Vendor Advisory
https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24307, you might also want to check these: