This WordPress SEO plugin might leave your website vulnerable to attack

News
By published

If left unpatched, this security flaw could lead to complete site takeover

(Image credit: Pixabay)

Wordfence's Threat Intelligence team has discovered a vulnerability in a WordPress plugin installed on over two million sites called All In One SEO Pack.

If exploited, the flaw could allow authenticated users with contributor level access or higher to inject malicious scripts which are executed when a victim accesses the wp-admin panel's 'all posts' page.

After discovering this medium severity security issue, Wordfence reached out to the plugin's team and All In One SEO Pack received a patch to fix the issue just a few days later.

Users of the plugin should update to the latest version of All In One SEO Pack (3.6.2) immediately to avoid falling victim to any potential attacks that try to exploit the now patched vulnerability.

All In One SEO Pack

All in One SEO Pack is a WordPress plugin that provides several SEO features to help a site's content rank higher on Google and other search engines.

As part of the plugin's functionality, it allows users with the ability to create or edit posts to set an SEO title and description directly from a post as they are working on it. This feature is available to all users with the ability to create posts such as contributors, authors and editors.

Unfortunately before the plugin was patched, the SEO meta data for posts, which includes the SEO title and SEO description fields, had no input sanitization. This allows lower-level users like contributors and authors to inject HTML and malicious JavaScript code into those fields.

As the SEO title and SEO description for each post are displayed on the 'all posts' page, any values added to these fields would also be displayed there in an unsanitized format which would cause any saved scripts in these fields to be executed any time a user accessed this page.

In version 3.6.2 of All in One SEO Pack, the plugin's developer has added sanitization to all of the SEO post meta values so that any code injected into them would be unable to become executable scripts.

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
More about website building
Squarespace

Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix automation

The world's leading website builder aims to save businesses time with new tool
The Xiaomi Pad 7 Pro on a bronze table

I tested the Xiaomi Pad 7 Pro and it's the closest Android fans can get to an iPad Pro alternative
See more latest
Most Popular
HP Fury G1i 18"
'2-inches gets you 30% more screen': HP is pitching 18-inch laptop as the best new thing in tech
Framework Desktop
Framework's Desktop is selling like hot cakes; Ryzen Max+ 395, Max 383 batches are sold out with next shipment in Q3
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
A person using a smartphone with an ecommerce website showing on a laptop.
Consumers are warming up to AI assistants, survey finds - 1/3 of us would allow AI to make purchases
A bloodied Mark staring at an off-screen Helly as Gemma screams at him from behind an exit door in Severance season 2 episode 10
Severance season 3: everything we know so far about the wildly popular Apple TV+ show's next chapter
Nvidia DGX Spark AI supercomputer
Project Digits is now DGX Spark: Nvidia raises its price by 33% as HPE, Dell jump on Petaflop mini AI bandwagon
ChatGPT workout
I use ChatGPT to hit my fitness and exercise goals – here are 7 prompts to help you get in shape using AI