Do you host your own WordPress website? Do you use the popular All in One SEO Pack plugin?
If so, you need to update the plugin as soon as possible to the latest version.
The All in One SEO Pack plugin is a very popular choice for webmasters who wish to boost their WordPress-powered site’s position in search engine rankings. Indeed, over 18 million people have already downloaded the plugin for use on their websites.
But now a security firm has discovered an potentially dangerous security hole in the plugin’s code, that could leave the door open to malicious attackers.
Sucuri, who discovered the security vulnerabilities, explained the serious nature of the flaw:
While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.
The solution? Update to version 2.1.6 of the All in One SEO Pack plugin, which was released yesterday.
Many WordPress-powered websites use dozens of plugins from third parties, meaning it is just as important to keep them updated, and protected against security vulnerabilities as software on your regular computer.
If plugins have been coded sloppily by developers there is always the risk that your website could become compromised, and that they could put the computers of visiting users at risk.
Thankfully, in this case, the vulnerability was discovered by a security firm who responsibly informed the plugin developers of the potential issue, and the onus is now on website administrators to download the latest version of the plugin and apply it on their sites.
Please note: self-hosted WordPress sites are different from sites hosted on wordpress.com. You cannot run the plugin on WordPress.com, and so sites running on that managed platform are not affected.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Serious security hole found in SEO plugin used by millions of WordPress users. Update now”
This is just another in the long list of reasons why we advise our customers against using All in One SEO. While the plugin was great at one point, it's been lagging behind Yoast's WordPress SEO plugin for quite some time now. If you're still using AIO, this is a great excuse to switch over to Yoast. There's even a built-in data transfer method. :)