• Vulnerability: WordPress SEO plugin

    June 3, 2014 by Support Staff
  • Vulnerability found in the All in One SEO Pack WordPress Plugin

    A patch was released June 1 for the popular All in One SEO Pack plugin for WordPress, closing vulnerabilities which could allow attackers to launch privilege escalation and cross-site scripting (XSS) attacks in sites using older versions of the plugin. We advise all users to update their installations immediately.

    According to Sucuri web developer and security analyst Marc-Alexandre Montpas:

    "If your site has subscribers, authors and non-admin users logging in to wp-admin ... if you have open registration, you are at risk," Montpas said in a post.

    "In the first case, a logged-in user, without possessing any kind of administrative privileges could add or modify certain parameters used by the plugin [including] the post’s SEO title, description and keyword meta tags.

    "... we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel [which] means that an attacker could potentially inject any JavaScript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more 'evil' activities later."

    If you have the All in One SEO Pack installed on your WordPress installation, please update it immediately.

    If you have questions or need assistance, please submit a support ticket.

Powered by · ©2006 - 2019 Tierra Hosting, LLC · Legal · Privacy · Domain Policies · ICANN Registrant Rights & Responsibilities