WordPress Security – All-In-One SEO Vulnerability – High Risk

The original disclosure by Wordfence can be found here on their blog. Terminus Agency regularly provides WordPress Security updates for their customers. Terminus Agency clients are likely already protected from this issue.

A high risk cross site scripting (XSS) vulnerability has been discovered in All in One SEO Pack Plugin versions 2.3.6.1 and older. Please immediately update the plugin, as Semper Fi plugins has updated to fix the vulnerability.

The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site.

According to Wordfence, “This vulnerability is only exploitable on sites that have the “Track Blocked Bots” setting enabled. This setting is not enabled by default. We do not have definitive data to indicate how many users of the plugin have enabled this feature. However, this plugin is extremely popular.” It is one of the most downloaded WordPress plugins. All In One SEO has been installed on over 1 million active websites.