WordPress All-In-One SEO Pack Vulnerabilities Patched

A popular WordPress plugin could leave potentially millions of websites vulnerable if left unpatched.

A web design firm has patched two privilege escalation vulnerabilities that could have led to cross-site scripting attacks in a popular WordPress plugin it manages. If left unpatched, the issue could leave potentially millions of websites vulnerable.

The problem exists in old versions of the All in One SEO Pack, a plugin that optimizes WordPress for search engines. Semper Fi, a web development company in charge of overseeing multiple WordPress plugins, manages the plugin.

While there are around 73 million websites on the internet currently running WordPress, about 20 percent of them, 15 million or so, use the All in One SEO Pack, making it one of the content management platform’s top five most popular plugins.

Marc-Alexandre Montpas, a researcher at the security firm Sucuri, said his research team discovered the vulnerabilities last week while auditing the company’s code. Montpas discussed them in a blog entry posted over the weekend.

The vulnerability can apparently allow a user without administrative privileges who’s logged into a WordPess site to modify parameters in the plugin. The user could go onto tweak posts’ SEO titles, descriptions and keyword meta tags. While these actions are mostly just a meddlesome, they could be problematic for site managers.

Perhaps more alarming is that according to Sucuri the vulnerability could be coupled with another vulnerability and used to trigger malicious Javascript code on the admin panel. As a result an attacker could change an admin’s password or implement a backdoor in one of the site’s files to trigger at a later date.

Semper Fi was quick the patch the issues. It pushed out a fixed version, 2.1.6, on Sunday that addresses the Sucuri issues along with a handful of other bug fixes reported by users in the company’s support forums.

WordPress users should be able to update their plugin by signing into their WordPress administrative panel, going to the All in One plugin, going to the dropdown at the top or bottom of the page and clicking “Update.” Users can also head to WordPress’ plugin directory.

Vulnerabilities in WordPress plugins have unfortunately become commonplace. In February, Duo Security revealed that there was a problem in its plugin that could let a user bypass two-factor authentication on multisite networks.

A research paper last year, “The Security State of WordPress’ Top 50 Plugins,” pointed out that vulnerable WordPress plugins have been downloaded eight million times, something that’s led to a multitude of high profile attacks and even more website compromises over the years.

Suggested articles


  • Scott Spinola on

    Thanks for sharing this. Luckily I installed it after the update. This is the fundamental flaw in the WordPress model: the reliance on plug-ins to provide what should be core functionality. This makes site maintenance a nightmare. If you can't afford custom development, you have to rely on often small-time, third-party developers to maintain your core functionality with no real way of determining if the developer is competent enough to handle secure development and or if WordPress updates will break them. I get that you can't design in every feature that anyone could conceivably want, but WordPress doesn't even have basic meta tag management or the ability to turn off registration notifications in the core platform. That's ridiculous.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.