• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Vulnerability found in the All in One SEO Pack WordPress Plugin

May 31, 2014Marc-Alexandre Montpas

FacebookTwitterSubscribe

The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.

It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.

Are You At Risk?

If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk. You have to update the plugin as soon as possible.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

How to Prevent This From Happening

We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.

In the event where you could not do this, we highly recommend you to have a look at our CloudProxy WAF which has been updated to protect our customers from this threat.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: WordPress Plugins and Themes

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Mark

    May 31, 2014

    any PoC ?

    • perezbox

      June 2, 2014

      No.

      • Mark

        June 3, 2014

        Give me PoC pls. I want to hack sites.

        • Orun Bhuiyan

          June 3, 2014

          Tony can’t say it, so I will:

          don’t be an asshole, Mark.

  2. Jonas Lejon

    May 31, 2014

    Nice work. Keep up te good work Marc 🙂

  3. Rambo Ruiz

    June 1, 2014

    How does one upgrade when there’s no upgrade button available anywhere ?

    • Clint A. Butler

      June 1, 2014

      Sign into your WordPress admin panel, select plugins. Chose the All in One plugin. Go to the dropdown at the top or bottom of the page and pick “update” If there is an update in the repository the system will check and update it for you.

      To be safe make sure you go to the plugin details page to ensure you have the most current version installed.

      • Rambo Ruiz

        June 1, 2014

        Thanks Clint I just did that 🙂

        • perezbox

          June 2, 2014

          If you still don’t see it I would recommend engaging with the developer directly.

          Thanks

          • Rambo Ruiz

            June 2, 2014

            I’ve already got it upgraded Perezbox. Thanks

      • Will

        June 18, 2014

        Clint, your post was the best at telling us how to do the update… so Thanks a ton for your help!

  4. Martyn Davis

    June 2, 2014

    Do you know that when your site is viewed using small screens (ie phones), that your “SiteCheck Website Scanner” dialog consumes half the reading space. Maybe you should disable it when the size of the dialog takes up more than 10-15% of the available reading space.

    • perezbox

      June 2, 2014

      Yeah sorry about that, it should be fixed now.

  5. gefundenwerden

    June 3, 2014

    wow, i make a update. thank you for the info

  6. Orun Bhuiyan

    June 3, 2014

    What’s unfortunate about this is that All-in-one SEO echoes a generator tag that indicates that the plugin is present and specifies the version number.

    I always found it really frustrating that WordPress SEO plugins do this, because when they’re found to have vulnerabilities, it’s that much easier to scrape a list of sites to target.

  7. Quinn

    June 4, 2014

    A client of mine received this email but we do not have this plugin installed. We have WordPress SEO by Yoast. Should I still take any action? Our WP and plugins are fully updated.

    • perezbox

      June 4, 2014

      They most likely received it as an informative email, if they don’t have it installed then there isn’t anything to address. 🙂

  8. www.destinsol.com

    June 16, 2014

    Thanks Clint I just did that .

    http://www.destinsol.com

  9. Ben Ustick

    June 16, 2014

    Thanks for the helpful information, Marc. I’ve included this in the Nexcess roundup of May’s best WordPress content in the hope that those who haven’t updated yet will see this article and do so. http://blog.nexcess.net/2014/06/05/roundup-of-mays-best-expressionengine-wordpress-and-magento-content/ Thanks again for the update.

    Ben

  10. Ciro Urdaneta

    June 17, 2014

    Excuse but this report is almost a hoax. Why Securi doesn’t show us the plugin version that is vulnerable?

  11. Dave Lawton

    June 17, 2014

    “this bug can be used with another vulnerability” is it possible to give any more info about what this “other vulnerability” is without revealing too much about the exploit? What I’m trying to determine is if a site does not have open registration and users are not logging in (as mentioned in the article), is it still vulnerable?

    • Dave Lawton

      June 17, 2014

      Is the “other vulnerability” just another vulnerability in older versions of the plugin? Also are these vulnerabilities present in very old versions of the plugin? What versions are affected?

  12. Buxykay

    June 18, 2014

    I think one of my sites has fallen prey to an attack because my hosting company informed me of a script overloading their servers. I have updated and everything seems to work fine.

    Thanks for this. Great work. I appreciate your efforts and care about people who use your plugin. I count this as a great sense of responsibility from your side.

  13. Dharmamitra Jeff Stfeani

    June 18, 2014

    Sharing Three Comments:
    1) YOU ROCK, HARD-CORE…THANK YOU! Shortly after you posted this Report, on Monday,5/31/2014, I was notified by an automated Alert, responded accordingly––“Battened Down the Hatches”…immediately securing all of my Clients’ WordPress sites, and, (with the aid of Social Media Mgt. Tool), Shared a Link to this URL, (with Title + Description + appropriate #hashtags) across ≈ 20 various Digital Media+Platforms…of which, many were then passed, much further into the Web.

    2) Granted, semantics are relative, so, when you state that: ‘While it does not *necessarily* look that bad…’ in
    reference to potential negative SERPs impact, the wisely placed “necessarily” is such a powerful qualifier that it, essentially, negates the remainder of the sentence. However, that’s not an accurate assessment of the full implications of adding and/or modifying the most significant HTML Elements, which can, ultimately, affect *so much more* than a particular Post/URL SERPs.

    It’s beyond the scope of this comment to explain the full implications, but my point is that the All-in-1-SEO-Pack vulnerability equates to much more than potential SERPs impact, it open the door for full out *Negative-SEO Attacks!*Suffice to say; I don’t agree with your sentiment.

    3) Lastly, I just want add that, I received an email from GoDaddy today, referencing this/your Blog Post, and advising that a survey has shown that I have the All-in-1-SEO-Pack installed, and that I should remedy this, ASAP. Thank goodness I received a notification regarding your Post, responded, and shared this info within a few hours of this Posting…and do not rely on the cracker jack response of the GoDaddy “Hosting Security Admin Team!”

  14. confused?

    June 18, 2014

    why is this information not listed on the plugin site?

  15. Omoyemi

    June 19, 2014

    noted and corrected.

  16. photokellytaylor

    June 19, 2014

    So I am lost, and do not know what to do. Wow.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.