Last week, security
researcher at Automattic
Marc Montpas recently discovered two severe security vulnerabilities within one of the most popular SEO plugins used by WordPress website owners
25 dec 2021
The plugin is used by more than three million websites and if left unpatched could cause some serious headaches for WordPress users.
Both vulnerabilities require that the attacker have an account on the website, but the account could be as low-level as a subscriber. WordPress websites by default allow any user on the web to create an account.
By default new accounts are ranked as subscriber and do not have any privileges other than writing comments.
However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.
When exploited in tandem, these two security holes allow an attacker to take over an unpatched WordPress website.
The ultimate guide for WordPress