15 million WordPress instances run flawed SEO plugin
All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.
More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization.
According to Sucuri, the reported privilege escalation vulnerabilities allow an attacker to add and modify the WordPress website’s meta information, that could harm its search engine ranking negatively.
"In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags." Sucuri said.
[adsense size='1']
Also the reported cross-site scripting vulnerability can be exploited by malicious hackers to execute malicious JavaScript code on an administrator’s control panel. "This means that an attacker could potentially inject any JavaScript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later." Sucuri blog post said.
Vulnerability in WordPress plugins is the root cause for the majority of WordPress exploitation and this is one of the main tools in the web hackers' arsenal. The plugin vulnerabilities could be exploited to access sensitive information, deface websites, redirect visitors to any malicious site, or to perform DDoS attacks.
Till now, we haven't seen any web attacks conducted by exploiting these vulnerabilities in the wild, but WordPress website owners are recommended to update their All in One SEO Pack WordPress plugin to the latest version immediately.
Gloss