on 23 July 18
All in one SEO Pack is the most used SEO plugin in WordPress and roughly estimated to be 15 million installations.
According to Marc-Alexandre Montpas:
While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks,
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post's SEO title, description and keyword meta tags. All of which could decrease one's website's Search Engine Results Page (SERP) ranking if used maliciously.
This security vulnerability has recently been fixed (All In One SEO Plugin latest version) and if you are a user running the All in One SEO Pack prior to version 2.1.6, I highly recommend that you upgrade the plugin as soon as possible to prevent any issues that can damage your website.
This blog is listed under Development & Implementations Community