Fang Kiang Ng 6 months ago

Plugin Vulnerability Affects 3+ Million websites (All-in-One SEO WP Plugin) WordPress

All In One SEO is a WordPress plugin that provides search engine optimization tools for content creators. It is a WordPress plugin that helps you improve your website SEO (search engine optimization). With the plugin, you to easily add title tags, meta descriptions, keywords, and other elements that are important for on-page SEO optimization. It is one of the most popular WordPress SEO plugins with over 3 million active installs.

Unfortuntely, some versions of this plugin do not protect the site titles, meta descriptions and other things that you enter when you make a new post or page, or when you change the plugin settings. This means that users who can write posts, like contributors, can put bad code into those things, and that code will run in the browser of any logged-in user, like a site’s administrator, who edits such a post or page.

Here is a summary of All In One SEO Patches Multiple Stored XSS Vulnerabilities in Version 4.3.0:

The plugin was found to have two stored XSS vulnerabilities that could allow attackers to inject malicious scripts on vulnerable sites.
The vulnerabilities were discovered by the Wordfence team who notified the plugin’s team and disclosed them responsibly.
The plugin’s team released version 4.3.0 to patch the vulnerabilities and urged users to update their plugin versions as soon as possible.
However, only a small percentage of users have updated their plugin versions, leaving many sites still exposed to potential attacks.

The current 25.5 % of users have been updated to version 4.3. However, there are still more than 2 million+ not yet updated. It is recommended to update it as soon as possible to cover up the security patch.

Refer below to read more:

Plugin Vulnerability Affects 3+ Million websites (All-in-One SEO WP Plugin) WordPress

Jorcus

Resources

More