Wordfence Threat Intelligence Team discovered a vulnerability on July 10 in All In One SEO Pack, a WordPress plugin that is active on more than 2 million sites.
This vulnerability authorized users with access to contributor level or above the ability to insert malicious scripts that would be executed if a victim accessed the ‘all posts’ page of the wp-admin panel.
On July 10, 2020, the Wordfence team reached out to the plugin’s team on the same day of discovery, and a patch was released on July 15, 2020, only a few days later.
This vulnerability has been considered a security issue of medium severity which, as with all XSS vulnerabilities. May lead to a complete takeover of the site and other serious consequences. The Wordfence team highly suggests that this plugin be upgraded to the new version immediately. At the time of writing, that is All in One SEO Pack version 3.6.2.
All In One SEO Pack
All in One SEO Pack is a WordPress plugin with several SEO tools to help rank content higher on Google. And other search engines for a site.
This provides users with the ability to build or update posts to set an SEO title. And summary directly from a post while they are working on it, while part of the plugin ‘s features. This functionality is open to all users capable of creating posts such as writers, authors, and editors.
Unfortunately, the SEO metadata for posts, which includes the SEO title. And SEO description fields, had no sanitization of inputs before the plugin was patched. This enables users of lower levels, such as contributors and authors, to inject HTML. And malicious JavaScript code into those fields.
Provided that the SEO title and SEO summary for each post are displayed on the ‘all posts’ tab. Any values applied to these fields will also be displayed in an unsanitized format that would trigger any saved scripts. To be executed in these fields whenever a user accesses this tab.
In version 3.6.2 of All in One SEO Pack. The creator of the plugin added sanitization to all the meta values of the SEO post. So that any code inserted into them will not be able to become an executable script.
You may also like:
Leave A Comment