Wordfence’s Threat Intelligence team has discovered a vulnerability in a WordPress plugin installed on over two million sites called All In One SEO Pack.
If exploited, the flaw could allow authenticated users with contributor level access or higher to inject malicious scripts which are executed when a victim accesses the wp-admin panel’s ‘all posts’ page.
After discovering this medium severity security issue, Wordfence reached out to the plugin’s team and All In One SEO Pack received a patch to fix the issue just a few days later.
Users of the plugin should update to the latest version of All In One SEO Pack (3.6.2) immediately to avoid falling victim to any potential attacks that try to exploit the now patched vulnerability.
All In One SEO Pack
All in One SEO Pack is a WordPress plugin that provides several SEO features to help a site’s content rank higher on Google and other search engines.
As part of the plugin’s functionality, it allows users with the ability to create or edit posts to set an SEO title and description directly from a post as they are working on it. This feature is available to all users with the ability to create posts such as contributors, authors and editors.
Unfortunately before the plugin was patched, the SEO meta data for posts, which includes the SEO title and SEO description fields, had no input sanitization. This allows lower-level users like contributors and authors to inject HTML and malicious JavaScript code into those fields.
As the SEO title and SEO description for each post are displayed on the ‘all posts’ page, any values added to these fields would also be displayed there in an unsanitized format which would cause any saved scripts in these fields to be executed any time a user accessed this page.
In version 3.6.2 of All in One SEO Pack, the plugin’s developer has added sanitization to all of the SEO post meta values so that any code injected into them would be unable to become executable scripts.