MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

Major security concerns found in All in One SEO Pack WordPress Plugin

Published on 19 June 14
741
0
1
Major security concerns found in All in One SEO Pack WordPress Plugin - Image 1
All in one SEO Pack is the most used SEO plugin in WordPress and roughly estimated to be 15 million installations.

According to Marc-Alexandre Montpas:

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks,

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post's SEO title, description and keyword meta tags. All of which could decrease one's website's Search Engine Results Page (SERP) ranking if used maliciously.

"They also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more evil activities later."

This security vulnerability has recently been fixed (All In One SEO Plugin latest version) and if you are a user running the All in One SEO Pack prior to version 2.1.6, I highly recommend that you upgrade the plugin as soon as possible to prevent any issues that can damage your website.













Major security concerns found in All in One SEO Pack WordPress Plugin - Image 1

All in one SEO Pack is the most used SEO plugin in WordPress and roughly estimated to be 15 million installations.

According to Marc-Alexandre Montpas:

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks,

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post's SEO title, description and keyword meta tags. All of which could decrease one's website's Search Engine Results Page (SERP) ranking if used maliciously.

"They also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more evil activities later."

This security vulnerability has recently been fixed (All In One SEO Plugin latest version) and if you are a user running the All in One SEO Pack prior to version 2.1.6, I highly recommend that you upgrade the plugin as soon as possible to prevent any issues that can damage your website.

This blog is listed under Development & Implementations Community

Post a Comment

Please notify me the replies via email.

Important:
  • We hope the conversations that take place on MyTechLogy.com will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top