The Scuri blog has posted that the All in One SEO plugin had two vulnerabilities they had pointed out earlier, and the just released update fixes both. AISEO users are advised to upgrade as soon as possible.
While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.
While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.
Read more: Vulnerability found in the All In One SEO Pack WordPress plugin
Also, commenter Orun Bhuiyan brings up an important security point when he points out that the AISEO plugin echoes a generator tag with the version number, thus exposing both plugin and version number and making it easy for malicious entities to target vulnerabilities when such situations arise. This has been pointed out on several forums including several plugins containing settings to mute generator tags, but it continues to be a problematic default that is a major security risk leaving wide swathes of content vulnerable before updates can be applied.
Leave a Reply