CVE-2021-25037
MEDIUM EXPLOITEDAll in One SEO WordPress <4.1.5.3 - Authenticated SQL Injection
Title source: llmExploitation Summary
CVE-2021-25037 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://jetpack.com/2021/12/14/severe-vulnerabilities-fixed-in-all-in-one-seo-plugin-version-4-1-5-3/
Exploit, Vendor Advisory x_refsource_misc
https://wpscan.com/vulnerability/4cd2a57b-3e1a-4acf-aecb-201ed9f4ee6d
Patch, Vendor Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2640944/all-in-one-seo-pack/trunk/app/Common/Api/PostsTerms.php
Scores
CVSS v3
6.5
EPSS
0.0129
EPSS Percentile
67.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
VulnCheck KEV
2021-12-14
CWE
CWE-89
Status
published
Products (1)
aioseo/all_in_one_seo
< 4.1.5.3
Published
Jan 17, 2022
Tracked Since
Feb 18, 2026