All in One SEO Pack plugin Vulnerability Affects 2 Million Users

The WordFence Threat Intelligence team has discovered a vulnerability in the All In One SEO Pack WordPress plugin that is currently installed on over 2 million sites.

All In One SEO Pack is a plugin that provides several search engine optimization (SEO) enhancing features to help rank a WordPress site’s content higher on search engines. As part of its functionality, it allows users that have the ability to create or edit posts to set an SEO title and SEO description directly from a post as it is being edited. This makes it easier for post creators to improve the SEO of posts as they are writing them. This feature is available to all users that can create posts, such as contributors, authors, and editors.

Unfortunately, the SEO metadata for posts, including the SEO title and SEO description fields, had no input sanitization allowing lower-level users like contributors and authors the ability to inject HTML and malicious JavaScript into those fields.

This medium severity security flaw that, as with all XSS vulnerabilities, can result in complete site takeover and other severe consequences allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.

The good news is that the Plugin developers have already patched the vulnerability.

Vulnerability Disclosure Timeline

July 10, 2020 – Initial discovery and analysis of vulnerability. Firewall rule was released for Wordfence Premium customers. Initial outreach to the Semper plugin team.
July 13, 2020 – The lead developer at Semper confirms an appropriate discussion channel. We provide full disclosure.
July 15, 2020 – A patch was released (version 3.6.2).
August 9, 2020 – Free Wordfence users receive firewall rule.

WordFence recommendations to mitigate anticipated risks

1. Enforcing strong passwords for all users, however, accounts with higher privileges have an elevated risk as they have more capabilities associated with their account. Strong passwords are extremely important to enforce, in order to mitigate the risk associated with attackers gaining unauthorized access to these accounts through password compromising attack techniques like brute force.

2. Enforcing two-factor authentication for all users, especially those with higher level capabilities, to help provide an extra layer of login security and protection against brute force attacks and compromised passwords. You can use the Wordfence Login Security Plugin built in functionality that can be found in the “Login Security” area of the plugin or with the use of the stand-alone You can learn more on how to enable and configure these settings here.

3. As a default step, All In One SEO Pack plugin users  immediately updating to the latest version of this plugin. At the time of writing, that is version 3.6.2 of All in One SEO Pack.

Wordfence Premium customers received a new firewall rule on July 10, 2020 to protect against exploits targeting this vulnerability. Free Wordfence users will receive this rule after thirty days, on August 9, 2020.

Read more of our WPChase security blogs here

Wonderful!, just before you go: Please subscribe to our website below  for the latest tips, ideas, and recommendations to make your WordPress site wonderful.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 151 other subscribers

%d bloggers like this: