Vulnerability found in the All in One SEO Pack WordPress Plugin

The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.

It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.

The risks

If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk. If you have open registration, you are at risk, so you have to update the plugin now.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

How to prevent this from happening

We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.

In the event where you could not do this, we highly recommend you to have a look at our CloudProxy WAF which has been updated to protect our customers from this threat.

Scan your website for free:
About Marc-Alexandre Montpas

Marc is a Sr Vulnerability Researcher, leading the vulnerability disclosure team and member of SucuriLabs. His passion for code and IT security has no limit. You'll generally find him competing in capture-the flag security competitions or searching for security vulnerabilities in widespread products for the fun of it. He's also a great fan of heavy-metal music. Find him on Twitter: @MarcS0h.

  • Mark

    any PoC ?

    • perezbox

      No.

      • Mark

        Give me PoC pls. I want to hack sites.

        • http://www.cynicologist.com/ Orun Bhuiyan

          Tony can’t say it, so I will:

          don’t be an asshole, Mark.

  • https://triop.se Jonas Lejon

    Nice work. Keep up te good work Marc :)

  • http://blog.ramboruiz.com/ Rambo Ruiz

    How does one upgrade when there’s no upgrade button available anywhere ?

    • http://clintbutler.net Clint A. Butler

      Sign into your WordPress admin panel, select plugins. Chose the All in One plugin. Go to the dropdown at the top or bottom of the page and pick “update” If there is an update in the repository the system will check and update it for you.

      To be safe make sure you go to the plugin details page to ensure you have the most current version installed.

      • http://blog.ramboruiz.com/ Rambo Ruiz

        Thanks Clint I just did that :)

        • perezbox

          If you still don’t see it I would recommend engaging with the developer directly.

          Thanks

          • http://blog.ramboruiz.com/ Rambo Ruiz

            I’ve already got it upgraded Perezbox. Thanks

      • Will

        Clint, your post was the best at telling us how to do the update… so Thanks a ton for your help!

  • Martyn Davis

    Do you know that when your site is viewed using small screens (ie phones), that your “SiteCheck Website Scanner” dialog consumes half the reading space. Maybe you should disable it when the size of the dialog takes up more than 10-15% of the available reading space.

    • perezbox

      Yeah sorry about that, it should be fixed now.

  • http://www.gefundenwerden.at/ gefundenwerden

    wow, i make a update. thank you for the info

  • http://www.cynicologist.com/ Orun Bhuiyan

    What’s unfortunate about this is that All-in-one SEO echoes a generator tag that indicates that the plugin is present and specifies the version number.

    I always found it really frustrating that WordPress SEO plugins do this, because when they’re found to have vulnerabilities, it’s that much easier to scrape a list of sites to target.

  • Quinn

    A client of mine received this email but we do not have this plugin installed. We have WordPress SEO by Yoast. Should I still take any action? Our WP and plugins are fully updated.

    • perezbox

      They most likely received it as an informative email, if they don’t have it installed then there isn’t anything to address. :)

  • http://blog.iws.com.ve/ Ciro Urdaneta

    Excuse but this report is almost a hoax. Why Securi doesn’t show us the plugin version that is vulnerable?

  • Dave Lawton

    “this bug can be used with another vulnerability” is it possible to give any more info about what this “other vulnerability” is without revealing too much about the exploit? What I’m trying to determine is if a site does not have open registration and users are not logging in (as mentioned in the article), is it still vulnerable?

    • Dave Lawton

      Is the “other vulnerability” just another vulnerability in older versions of the plugin? Also are these vulnerabilities present in very old versions of the plugin? What versions are affected?

  • Buxykay

    I think one of my sites has fallen prey to an attack because my hosting company informed me of a script overloading their servers. I have updated and everything seems to work fine.

    Thanks for this. Great work. I appreciate your efforts and care about people who use your plugin. I count this as a great sense of responsibility from your side.

  • http://Dharmamitra.Org Dharmamitra Jeff Stfeani

    Sharing Three Comments:
    1) YOU ROCK, HARD-CORE…THANK YOU! Shortly after you posted this Report, on Monday,5/31/2014, I was notified by an automated Alert, responded accordingly––“Battened Down the Hatches”…immediately securing all of my Clients’ WordPress sites, and, (with the aid of Social Media Mgt. Tool), Shared a Link to this URL, (with Title + Description + appropriate #hashtags) across ≈ 20 various Digital Media+Platforms…of which, many were then passed, much further into the Web.

    2) Granted, semantics are relative, so, when you state that: ‘While it does not *necessarily* look that bad…’ in
    reference to potential negative SERPs impact, the wisely placed “necessarily” is such a powerful qualifier that it, essentially, negates the remainder of the sentence. However, that’s not an accurate assessment of the full implications of adding and/or modifying the most significant HTML Elements, which can, ultimately, affect *so much more* than a particular Post/URL SERPs.

    It’s beyond the scope of this comment to explain the full implications, but my point is that the All-in-1-SEO-Pack vulnerability equates to much more than potential SERPs impact, it open the door for full out *Negative-SEO Attacks!*Suffice to say; I don’t agree with your sentiment.

    3) Lastly, I just want add that, I received an email from GoDaddy today, referencing this/your Blog Post, and advising that a survey has shown that I have the All-in-1-SEO-Pack installed, and that I should remedy this, ASAP. Thank goodness I received a notification regarding your Post, responded, and shared this info within a few hours of this Posting…and do not rely on the cracker jack response of the GoDaddy “Hosting Security Admin Team!”

  • confused?

    why is this information not listed on the plugin site?

  • Omoyemi

    noted and corrected.

  • photokellytaylor

    So I am lost, and do not know what to do. Wow.