Researchers at Sucuri have found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack.”
According to a report by PCWorld on Monday, the flaws discovered last week could enable attackers to access non-administrative WordPress accounts, elevate their privileges, and inject malicious code into the admin panel.
The team behind the plugin released a new version of All in One SEO Pack on Saturday to patch the privilege escalation vulnerabilities.
According to a blog post by Sucuri, the vulnerability could affect WordPress sites with subscribers, authors and non-admin users logging in to wp-admin, as well as sites with open registration.
The All in One SEO Pack plugin has been downloaded more than 18.5 million times, so the issue could have far-reaching effects if users don’t update their sites with version 2.1.6 immediately.
“While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks,” Marc-Alexandre Montpas, security analyst at Sucuri said. “In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.”
Since WordPress is the most popular website platform, and is used by many small businesses and individual users, plugin security issues can be very disruptive. With hosted WordPress, hosting providers often take care of updating plugins and monitoring security issues to keep websites safe. Staying on top of plugin updates is extremely important in maintaining website security.
Recently, managed WordPress offerings have been receiving interest from investors. In May, Pantheon raised a $21.5 million Series B funding round to invest in product development and international expansion.