If you own a WordPress site and use All In One SEO Pack plugin for your search optimization, listen up. Yesterday, an update was released by the plugin developers to patch several security vulnerabilities. The update was influenced by the cyber security researchers who recently audited the plugin and, in turn, found two “security flaws” that hackers could use to commit scripting attacks. In essence, if someone was able to gain access to a blog owner’s WordPress admin, that individual could inject malicious code into the server.
The two vulnerabilities found by Sucuri are below:
“In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.
These vulnerabilities not only put a hole in WordPress admin privileges, but could even negatively affect the page rank of a website, which is exactly the opposite intent of All In One SEO Pack’s plugin. As a blog with a plugin-based CMS ourselves, we recommend contacting any friends with WordPress websites potentially using this plugin, and informing them of the patch these holes.
The fix is to simply update All In One SEO Pack’s plugin directly from their own admin page. Otherwise, the update can be downloaded here and installed/updated manually. It would also do users well to check their author list and restrict access to any users who may not require privileges in case of future plugin-based vulnerabilities.