Wednesday, 13 July 2016

New Vulnerability in All in One SEO Pack Plugin 2.3.7 and earlier

Yesterday morning Panagiotis Vagenas, a Wordfence Security Researcher, discovered a new vulnerability in the All in One SEO Pack WordPress plugin. This is in addition to another serious vulnerability we wrote about yesterday morning in the same plugin.
As detailed yesterday, All in One SEO Pack is an extremely popular plugin with over 1,000,000 active installs. Both free and Premium Wordfence users with the firewall enabled had partial protection at the time we discovered this new vulnerability.
A firewall rule that provides complete protection was added to the Threat Defense Feed yesterday morning.
The author released version 2.3.8 which fixes the vulnerability yesterday afternoon.
This unauthenticated stored XSS vulnerability allows an attacker to inject javascript code into a page that requires admin privileges to view. When a site admin visits the page, the malicious code that runs can perform administrative actions such as modifying existing user privileges, creating a new admin user or stealing admin session tokens.
This exploit only works if the user has enabled the sitemap module in the plugin. We have no way of estimating the percentage of All in One SEO Pack users who are vulnerable, but given the widespread use of the plugin and the importance of sitemaps for SEO, it is likely that 100s of thousands of sites are impacted.
What to do ?
Users running the All in One SEO Pack plugin should upgrade to version 2.3.8 immediately, and will receive a rule to completely protect against this vulnerability on August 11th.
In addition we encourage you to share this post with the broader WordPress community to create awareness of this serious security issue.