WordPress All in One SEO Pack vulnerability found
A medium severity threat to WordPress sites using the All in One SEO pack has been found by our partner. While sites hosted by us have already been patched, this post may help your in-house teams keep your site safe.
What is All in One SEO?
All In One SEO Pack is a plugin that provides several SEO enhancing features to help rank a WordPress site’s content higher on search engines. As part of its functionality, it allows users that have the ability to create or edit posts to set an SEO title and SEO description. This makes it easier for post creators to improve the SEO of posts as they are writing them. This feature is available to all users that can create posts, such as contributors, authors, and editors.
So what’s the issue?
The flaw allows authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.
This is considered a medium severity security issue that, as with all XSS vulnerabilities, can result in complete site takeover and other severe consequences. We strongly recommend immediately updating to the latest version of this plugin. At the time of writing, that is version 3.6.2 of All in One SEO Pack.
See the below code snippet for reference:
</script><script>alert(0)</script>. This was due to the fact that the tag would close out the SEO description’s original script tag and inject an additional script directly after.
So, what happens now?
Luckily, the developer of the plugin has now patched it and added sanitisation. If an attacker enters HTML characters, they will be escaped and become unusable. This is why we’re recommending you upgrade the plugin now.
If you need more help or advice, why not talk to us today?
This page is supported by third-party advertising…