A high risk cross site scripting (XSS) vulnerability has been discovered in All in One SEO Pack Plugin versions 18.104.22.168 and older. Please immediately update the plugin, as Semper Fi plugins has updated to fix the vulnerability.
The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site.
According to Wordfence, “This vulnerability is only exploitable on sites that have the “Track Blocked Bots” setting enabled. This setting is not enabled by default. We do not have definitive data to indicate how many users of the plugin have enabled this feature. However, this plugin is extremely popular.” It is one of the most downloaded WordPress plugins. All In One SEO has been installed on over 1 million active websites.