Serious security hole found in SEO plugin used by millions of WordPress users. Update now

SEO PluginDo you host your own WordPress website? Do you use the popular All in One SEO Pack plugin?

If so, you need to update the plugin as soon as possible to the latest version.

The All in One SEO Pack plugin is a very popular choice for webmasters who wish to boost their WordPress-powered site’s position in search engine rankings. Indeed, over 18 million people have already downloaded the plugin for use on their websites.

But now a security firm has discovered an potentially dangerous security hole in the plugin’s code, that could leave the door open to malicious attackers.

Sign up to our free newsletter.
Security news, advice, and tips.

Sucuri, who discovered the security vulnerabilities, explained the serious nature of the flaw:

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

The solution? Update to version 2.1.6 of the All in One SEO Pack plugin, which was released yesterday.

Many WordPress-powered websites use dozens of plugins from third parties, meaning it is just as important to keep them updated, and protected against security vulnerabilities as software on your regular computer.

WordPress plugins

If plugins have been coded sloppily by developers there is always the risk that your website could become compromised, and that they could put the computers of visiting users at risk.

Thankfully, in this case, the vulnerability was discovered by a security firm who responsibly informed the plugin developers of the potential issue, and the onus is now on website administrators to download the latest version of the plugin and apply it on their sites.

Please note: self-hosted WordPress sites are different from sites hosted on wordpress.com. You cannot run the plugin on WordPress.com, and so sites running on that managed platform are not affected.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

One comment on “Serious security hole found in SEO plugin used by millions of WordPress users. Update now”

  1. This is just another in the long list of reasons why we advise our customers against using All in One SEO. While the plugin was great at one point, it's been lagging behind Yoast's WordPress SEO plugin for quite some time now. If you're still using AIO, this is a great excuse to switch over to Yoast. There's even a built-in data transfer method. :)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.