Wordpress security flaw all in one seo Pack

WordPress Security Flaw – Update All-In-One SEO pack


June 3, 2014 by Christian Thomson

all in one seo pack

The Sucuri Blog issued a notice that a popular SEO plugin for WordPress web sites had a major security vulnerability.

The WordPress plugin name is the “All in One SEO Pack” and the fix is easy, just make sure to update the plugin immediately, like today.

The vulnerability opened up WordPress blogs that used the plugin, that had subscribers, authors and non-admin users logging in to wp-admin.

Client of Marwick Marketing? Don’t worry we’ve already updated yours (if you have it)!

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

The code in the plugin had two security issues that enabled hackers to:

(1) Conduct privilege escalation

(2) Cross site scripting (XSS) attacks

Again, the fix is simple, just upgrade to the latest version available for this plugin.