Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > High-usage Wordpress SEO plug-in flagged for security vulnerability

High-usage Wordpress SEO plug-in flagged for security vulnerability
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jun 2, 2014, 07:15 PM
Wordpress users with search engine optimization (SEO) tools may want to considering doing an update, as one of the most widely used plug-ins has been found to vulnerable to attack. All in One SEO Pack, a plug-in with over 18.5 million downloads on Wordpress.com, could potentially allow for an attacker to escalate their privileges from a low-level user account, and carry out cross-site scripting attacks.

Marc-Alexandre Montpas, a security researcher from Sucuri, found that vulnerabilities in the plug-in could be used to inject malicious code into a Wordpress administration panel. This code would then be executed anytime a user would log into the wp-admin control panel. Any user, from administrators to site subscribers, could trigger the injected code once it is in place.

Users, including ones from an open registration, can manipulate SEO parameters including keyword tags, SEO title and description. At the most basic level, the vulnerability in the plug-in doesn't amount to much of a problem -- since it would just decrease position on a search results page. However, it can be used in conjunction with another bug to do more serious damage.

"We also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel," said Montpas. "Now, this means that an attacker could potentially inject any Javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more 'evil' activities later."

Since this attack can be done with an account that someone can sign up for on their own rather than being assigned, it creates a large issue for Wordpress users. All-in-One SEO Pack has since issued an update to version 2.1.6 that fixes the vulnerabilities. If there is a website that runs the plug-in, it is suggested that they update to the latest version immediately to avoid unwanted activity. The plug-in can be upgraded through the administration panel in Wordpress, or downloaded from Wordpress.com.
( Last edited by NewsPoster; Jun 16, 2014 at 05:46 AM. )
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Privacy Policy
All times are GMT -4. The time now is 04:10 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2