There are no SEO packages installed on my server but evidently several of the main crapware are now leaving gaping security holes on many WP sites. Estimates of 800,000 sites are still vulnerable.

In total, three million sites were vulnerable to the flaw. In the past two weeks, since the patch was issued by the plugin’s developers, more than two million plugins were updated, leaving some 820,000 still vulnerable.

  • CVE-2021-25036
  • CVE-2021-25037

WordPress admins still using All In One SEO versions affected by these severe vulnerabilities (between 4.0.0 and who haven’t already installed the patch are advised to do it immediately. Safer is to remove the packages immediately.

An attacker could abuse this feature to hide .htaccess backdoors and execute malicious code on the server.