Skip to content

Android Tutorial Station

Vulnerability in the All in One SEO Pack plugin

A security update for the WordPress All in One SEO Pack plugin has recently been released. This update is a consequence of a serious vulnerability in the All in One SEO Pack plugin that allows users to escalate privileges.

If you use this plugin, update the new version as soon as possible to avoid security problems in your WordPress blog.

Description of the vulnerability in the All in One SEO Pack for WordPress plugin

In principle, the security problem only affects those WordPress blogs that have subscribers, authors, collaborators, etc … in other words, it affects those blogs that allow any user to access wp-admin , for example those blogs that have the public records enabled. If in your case the records are closed and you don’t have any editors or collaborators you should not have problems, but still it is advisable to update.

During the auditing of the plugin code , two security flaws were found that allow them to be exploited through XSS attacks and escalation of privileges .

In the first case, any user with access to wp-admin , whether a subscriber, author, collaborator, etc … (it is not necessary to have administrator permissions) could modify some parameters used by the plugin for entries such as: meta description, SEO title, etc … If this were done by a malicious user it would result in a loss of search engine positions .

The second security flaw allows you to inject malicious javascript code to for example change the administrator’s password and once gained access to the WordPress desktop to carry out other activities (delete or modify files, inject malware, execute commands on the server, etc …).

Final Recommendations

To prevent some vulnerability in the All in One SEO Pack plugin, the only reliable way is to keep the plugin updated .

Once again we are facing a security problem in WordPress introduced by a plugin and this time a well-known plugin that even has a paid version. This shows, once again, that those plugins that have a premium or paid version have no greater security controls than the free and open source ones.

It is true that each SEO plugin has its followers and its detractors but I take the opportunity to recommend the SEO plugin that we use in Vozidea, which is WordPress SEO by Yoast . This plugin is free and if we combine it with a good SEO OnPage it gives good results.

No comments yet.

Leave a Reply

Your email address will not be published.

Comments (0)