Alert: All in One SEO WordPress Plugin Vulnerable

wordpress_blog

Warning: The popular All in One SEO Pack WordPress plugin has been deemed vulnerable to privilege escalation and cross site scripting attacks. All versions of the plugin prior to the recently released 2.1.6 are affected. To mitigate this threat, download version 2.1.6 as soon as possible.

Privilege Escalation

The discovered privilege escalation vulnerability allows WordPress users to modify your website’s SEO components without needing administrator permissions. A malicious actor could do so to negatively impact your website’s search engine ranking.

Cross Site Scripting

The discovered cross site scripting (XSS) vulnerability allows an attacker to inject malicious Javascript code into a WordPress administrator’s control panel. That code could be designed to perform any number of malicious actions, including the installation of a backdoor for monitoring purposes.

Ensuring Protection

The most immediate method of threat mitigation is to download the official plugin update to version 2.6.1. Additionally, you should evaluate how users interact with your WordPress site. Disabling open registration can increase your site’s security and can help protect it from future threats of this nature.

More details on these vulnerabilities can be found at the Sucuri Blog.

Have a Great (Malware-Free) Day!