CVE-2021-24307

Name of the Vulnerable Software and Affected Versions The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings versions prior to 4.1.0.2

Description The issue allows authenticated users with aioseo tools settings privilege, typically admins, to execute arbitrary code on the host. This is possible because the plugin attempts to unserialize values from uploaded .ini files in the "Tool > Import/Export" section. The embedded Monolog library can be exploited to create a gadget chain, leading to system command execution.

Recommendations For versions prior to 4.1.0.2, update to version 4.1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Tool > Import/Export" section and the aioseo tools settings privilege to minimize the risk of exploitation. Avoid uploading .ini files from untrusted sources until the issue is resolved.