Vulnerability found in the All in One SEO Pack WordPress Plugin

  • May 31, 2014

The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.

It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.

Are You At Risk?

If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk. You have to update the plugin as soon as possible.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

How to Prevent This From Happening

We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.

In the event where you could not do this, we highly recommend you to have a look at our CloudProxy WAF which has been updated to protect our customers from this threat.

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Related Tags
27 comments

    1. Sign into your WordPress admin panel, select plugins. Chose the All in One plugin. Go to the dropdown at the top or bottom of the page and pick “update” If there is an update in the repository the system will check and update it for you.

      To be safe make sure you go to the plugin details page to ensure you have the most current version installed.

        1. If you still don’t see it I would recommend engaging with the developer directly.

          Thanks

      2. Clint, your post was the best at telling us how to do the update… so Thanks a ton for your help!

  4. Do you know that when your site is viewed using small screens (ie phones), that your “SiteCheck Website Scanner” dialog consumes half the reading space. Maybe you should disable it when the size of the dialog takes up more than 10-15% of the available reading space.

  6. What’s unfortunate about this is that All-in-one SEO echoes a generator tag that indicates that the plugin is present and specifies the version number.

    I always found it really frustrating that WordPress SEO plugins do this, because when they’re found to have vulnerabilities, it’s that much easier to scrape a list of sites to target.

  7. A client of mine received this email but we do not have this plugin installed. We have WordPress SEO by Yoast. Should I still take any action? Our WP and plugins are fully updated.

    1. They most likely received it as an informative email, if they don’t have it installed then there isn’t anything to address. 🙂

  11. “this bug can be used with another vulnerability” is it possible to give any more info about what this “other vulnerability” is without revealing too much about the exploit? What I’m trying to determine is if a site does not have open registration and users are not logging in (as mentioned in the article), is it still vulnerable?

    1. Is the “other vulnerability” just another vulnerability in older versions of the plugin? Also are these vulnerabilities present in very old versions of the plugin? What versions are affected?

  12. I think one of my sites has fallen prey to an attack because my hosting company informed me of a script overloading their servers. I have updated and everything seems to work fine.

    Thanks for this. Great work. I appreciate your efforts and care about people who use your plugin. I count this as a great sense of responsibility from your side.

  13. Sharing Three Comments:
    1) YOU ROCK, HARD-CORE…THANK YOU! Shortly after you posted this Report, on Monday,5/31/2014, I was notified by an automated Alert, responded accordingly––“Battened Down the Hatches”…immediately securing all of my Clients’ WordPress sites, and, (with the aid of Social Media Mgt. Tool), Shared a Link to this URL, (with Title + Description + appropriate #hashtags) across ≈ 20 various Digital Media+Platforms…of which, many were then passed, much further into the Web.

    2) Granted, semantics are relative, so, when you state that: ‘While it does not *necessarily* look that bad…’ in
    reference to potential negative SERPs impact, the wisely placed “necessarily” is such a powerful qualifier that it, essentially, negates the remainder of the sentence. However, that’s not an accurate assessment of the full implications of adding and/or modifying the most significant HTML Elements, which can, ultimately, affect *so much more* than a particular Post/URL SERPs.

    It’s beyond the scope of this comment to explain the full implications, but my point is that the All-in-1-SEO-Pack vulnerability equates to much more than potential SERPs impact, it open the door for full out *Negative-SEO Attacks!*Suffice to say; I don’t agree with your sentiment.

    3) Lastly, I just want add that, I received an email from GoDaddy today, referencing this/your Blog Post, and advising that a survey has shown that I have the All-in-1-SEO-Pack installed, and that I should remedy this, ASAP. Thank goodness I received a notification regarding your Post, responded, and shared this info within a few hours of this Posting…and do not rely on the cracker jack response of the GoDaddy “Hosting Security Admin Team!”

Comments are closed.

Related Categories
You May Also Like