A serious All in One SEO Pack Plug-in vulnerability that could allow a malicious actor to gain access to the admin account on WordPress websites using the plugin has now been remediated. Anyone with a WordPress website with the All in One SEO Pack Plug-in installed is advised to update to the latest version as soon as possible.
The All in One SEO Pack Plug-in is a popular choice for improving search engine optimization and has been installed on around one million websites to date and has been downloaded some 30 million times.
All in One SEO Pack Plug-in Vulnerability
The All in One SEO Pack Plug-in vulnerability is in the “Bot Blocker” component. Should a malicious actor succeed in exploiting the vulnerability, it would be possible to steal administrator tokens and perform any number of malicious actions on the website without the site owner’s knowledge.
The vulnerability allows a malicious actor to perform a cross-site scripting (XSS) attack and load code into a HTML page which is displayed in the admin panel.
HTTP requests can be sent with headers containing malicious JavaScript code which are logged and displayed to the site user. Since the plugin logs and displays these requests without performing any sanitization, malicious code can become part of the page viewed by the user. When the page is viewed the attacker could steal administrator session tokens. Those tokens could then be used by the attacker to login to the site’s admin panel without having to authenticate.
The vulnerability can only be exploited if the site administrator has enabled the “track blocked bots” function. If this function has not been enabled, the requests are not logged in the HTML page.
The latest version of the plug-in – version 2.3.7 – corrects the issue and prevents XSS attacks via this vulnerability.
Time to Update WordPress Websites
Unfortunately, many WordPress website administrators rarely update their plugins or do so infrequently. Consequently, many websites are likely to remain vulnerable for some time. If access to sites is gained using the All in One SEO Pack Plug-in vulnerability, an attacker could add exploit kits to the websites. Visitors to those sites would therefore be placed at risk of having malware and ransomware downloaded onto their devices. If malware is loaded onto WordPress sites and this is discovered by Google, websites could be removed from search engine listings.
All WordPress site administrators that have the All in One SEO Pack Plug-in installed should therefore update the plugin immediately. It is also a good opportunity to update all other out-of-date plugins and update WordPress to prevent other vulnerabilities from being exploited.