Researchers have uncovered vulnerabilities in a popular WordPress plugin that could be used to escalate privileges and conduct cross-site scripting attacks.
The latest version of the ‘All in One SEO Pack’ from Semper Fi Web Design addresses these vulnerabilities and anyone running an older version should upgrade immediately if possible, explained Marc-Alexandre Montpas, a researcher with security firm Sucuri.
All in One SEO Pack is used to optimize WordPress sites and blogs for search engines. According to WordPress Plugin Directory, it has been downloaded more than 18.5 million times.
“While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks,” he blogged. “In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.”
While this may not look bad at first, this bug can be used with another vulnerability to execute malicious JavaScript code on an administrator’s control panel, he noted.
“Now, this means that an attacker could potentially inject any JavaScript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later,” he added.
“If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk,” blogged the researcher. “If you have open registration, you are at risk, so you have to update the plugin now.”