Multiple serious vulnerabilities were uncovered last week in the ever popular ‘All in One SEO Pack’ plugin for WordPress, the vulnerabilities put millions of WordPress websites at risk. Two privilege escalation vulnerabilities that could have led to cross-site scripting attacks were found inside the popular plugin.
A critical flaw was found inside old versions of All in One SEO Pack, the plugin is designed to help WordPress websites rank better in search engines. Semper Fi, a web development firm that oversees multiple WordPress plugins, also manages the All in One pack.
Reports state that around 73 million websites online run WordPress, and about 15 million, or twenty percent of them run the All in One SEO Pack plugin, ranking it on the top five most installed WordPress plugins of all time.
The vulnerability was discovered by security researcher Marc-Alexandre Montpas. Montpass said his team at Sucuri security firm discovered the vulnerabilities last week while auditing the company’s code. Montpass discusses everything in the blog entry he posted over the weekend.
The set of vulnerabilities are said to allow a user without administrative privileges who’s logged into a WordPress site to modify parameters inside the plugin. The user could modify SEO titles, descriptions, keyword meta, and other features the plugin offers. The actions are low-level but could be troublesome for site managers.
Semper Fi web development patched the issues promptly. On Sunday, new version, 2.1.6, was released to the public, patching the vulnerabilities addressed by Sucuri along with a handful of other bugs reported by plugin users.
WordPress users who use All in One SEO Pack are urged to update the plugin immediately. This can be done by logging into the WordPress admin panel and navigating to the update section, then updating it right from the panel.
WordPress plugin vulnerabilities have seemed to have taken a common place over the years. Researchers regarding the state of this plugin have been directing users to a research paper last year, “The Security State of WordPress’ Top 50 Plugins,” inside, the work details that vulnerable WordPress plugins have been downloaded over eight million times, it is said that such has led to various high profile attacks and website compromisation over the years.