WordPress Plugin All In One SEO Pack has Security Vulnerability

If you own a WordPress site and use All In One SEO Pack plugin for your search optimization, listen up. Yesterday, an update was released by the plugin developers to patch several security vulnerabilities. The update was influenced by the cyber security researchers who recently audited the plugin and, in turn, found two “security flaws” that hackers could use to commit scripting attacks. In essence, if someone was able to gain access to a blog owner’s WordPress admin, that individual could inject malicious code into the server.

The two vulnerabilities found by Sucuri are below:

“In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

…we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

These vulnerabilities not only put a hole in WordPress admin privileges, but could even negatively affect the page rank of a website, which is exactly the opposite intent of All In One SEO Pack’s plugin. As a blog with a plugin-based CMS ourselves, we recommend contacting any friends with WordPress websites potentially using this plugin, and informing them of the patch these holes.

The fix is to simply update  All In One SEO Pack’s plugin directly from their own admin page. Otherwise, the update can be downloaded here and installed/updated manually. It would also do users well to check their author list and restrict access to any users who may not require privileges in case of future plugin-based vulnerabilities.

Source: Sucuri