The Scuri blog has posted that the All in One SEO plugin had two vulnerabilities they had pointed out earlier, and the just released update fixes both. AISEO users are advised to upgrade as soon as possible.
While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.
Also, commenter Orun Bhuiyan brings up an important security point when he points out that the AISEO plugin echoes a generator tag with the version number, thus exposing both plugin and version number and making it easy for malicious entities to target vulnerabilities when such situations arise. This has been pointed out on several forums including several plugins containing settings to mute generator tags, but it continues to be a problematic default that is a major security risk leaving wide swathes of content vulnerable before updates can be applied.