Researchers have uncovered vulnerabilities in a popular WordPress plugin that could be used to escalate privileges and conduct cross-site scripting attacks.
The latest version of the 'All in One SEO Pack' from Semper Fi Web Design addresses these vulnerabilities and anyone running an older version should upgrade immediately if possible, explained Marc-Alexandre Montpas, a researcher with security firm Sucuri.
All in One SEO Pack is used to optimize WordPress sites and blogs for search engines. According to WordPress Plugin Directory, it has been downloaded more than 18.5 million times.
"While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks," he blogged. "In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously."
"If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk," blogged the researcher. "If you have open registration, you are at risk, so you have to update the plugin now."