All in one SEO Pack is the most used SEO plugin in WordPress and roughly estimated to be 15 million installations.
According to
Marc-Alexandre Montpas:
While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and
cross site scripting (XSS) attacks,
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post's SEO title, description and keyword meta tags. All of which could decrease one's website's Search Engine Results Page (SERP) ranking if used maliciously.
"They also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more evil activities later."
This security vulnerability has recently been fixed (
All In One SEO Plugin latest version) and if you are a user running the All in One SEO Pack prior to version 2.1.6, I highly recommend that you upgrade the plugin as soon as possible to prevent any issues that can damage your website.