Researchers Uncover Security Vulnerabilities in Popular WordPress SEO Plugin

1 comment

Researchers at Sucuri have found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack.”

According to a report by PCWorld on Monday, the flaws discovered last week could enable attackers to access non-administrative WordPress accounts, elevate their privileges, and inject malicious code into the admin panel.

The team behind the plugin released a new version of All in One SEO Pack on Saturday to patch the privilege escalation vulnerabilities.

According to a blog post by Sucuri, the vulnerability could affect WordPress sites with subscribers, authors and non-admin users logging in to wp-admin, as well as sites with open registration.

The All in One SEO Pack plugin has been downloaded more than 18.5 million times, so the issue could have far-reaching effects if users don’t update their sites with version 2.1.6 immediately.

“While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks,” Marc-Alexandre Montpas, security analyst at Sucuri said. “In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.”

“While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel,” Montpas said.

With this capability, an attacker could inject any Javascript code, change the admin’s account password or leave a back door.

Since WordPress is the most popular website platform, and is used by many small businesses and individual users, plugin security issues can be very disruptive. With hosted WordPress, hosting providers often take care of updating plugins and monitoring security issues to keep websites safe. Staying on top of plugin updates is extremely important in maintaining website security.

Recently, managed WordPress offerings have been receiving interest from investors. In May, Pantheon raised a $21.5 million Series B funding round to invest in product development and international expansion.

Last spring, attackers targeted WordPress websites with weak admin credentials, wrecking havoc on hosting providers’ systems as they fought to keep their customers’ sites secure.

Add Your Comments

  • (will not be published)

One Comment

  1. DoktorThomas™

    SEO is greatly overrated. If you have quality content, it is the search engines' responsibility to make it accessible. Use of this plug-in is a waste of bytes. ©2014