{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T06:27:46.719","vulnerabilities":[{"cve":{"id":"CVE-2021-24307","sourceIdentifier":"contact@wpscan.com","published":"2021-05-24T11:15:08.350","lastModified":"2024-11-21T05:52:48.583","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with \"aioseo_tools_settings\" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section \"Tool > Import/Export\". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution."},{"lang":"es","value":"All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings versiones anteriores a 4.1.0.2 permite a usuarios autenticados con el privilegio \"aioseo_tools_settings\" (la mayoría de las veces administrador) ejecutar código arbitrario en el host subyacente. Los usuarios pueden restaurar la configuración del plugin  al cargar un archivo .ini de respaldo en la sección \"Tool ) Import/Export\". Sin embargo, el plugin intenta anular la serialización de los valores del archivo .ini. Además, el plugin  incorpora la biblioteca Monolog que puede ser usada para diseñar una cadena de dispositivos y, por lo tanto, desencadenar una ejecución de comandos del sistema"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","baseScore":9.0,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":8.0,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"contact@wpscan.com","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:aioseo:all_in_one_seo:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"4.1.0.2","matchCriteriaId":"23F0DE8A-3D20-47E8-A04E-176CB617E919"}]}]}],"references":[{"url":"https://aioseo.com/changelog/","source":"contact@wpscan.com","tags":["Release Notes","Vendor Advisory"]},{"url":"https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1","source":"contact@wpscan.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://aioseo.com/changelog/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Vendor Advisory"]},{"url":"https://wpscan.com/vulnerability/ab2c94d2-f6c4-418b-bd14-711ed164bcf1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}