By Gary Nugent

"All In One SEO Pack" Plugin Security Vulnerability

In an interesting development, it’s been found that there’s a security vulnerability in older versions of the popular All In One SEO Pack plugin. (Note: this plugin is not used in the blogs we build here at Top Design Blogs).

The vulnerability allows an attacker to store malicious code in the website’s Admin panel that could potentially help them take over the website.

The plugin is still one of the most popular in use and appears on the WordPress Plugin Directory’s Popular section. So a huge number of blogs could be at potential risk here.

All In One SEO Pack helps webmasters improve their site’s Search Engine Optimization (SEO) features through a series of on/off settings.

The Bot Blocker Issue

One of those settings is called Bot Blocker which allows users to decide which search engine crawlers to block from accessing and crawling their site. The setting is off by default so fewer sites are at risk as a result.

If the option has been enabled, then the plugin logs all rejected bots and when they visited a site.

The problem is that when info is logged, the text included in the User Agent strings and Referrer headers sections is not sanitized so malicious code can be hidden there.

Exploiting The Vulnerability Is Easy

All an attacker/hacker has to do is to add malicious code to the end of these strings for a bot that they know is being blocked by the site.

This malicious code gets stored in the WordPress site’s database and automatically executed when the admin visits the log page.

Packing JavaScript code that steals admin user cookies is trivial for any low-to-mid skilled hacker. The cookies can be used to hijack admin login sessions or to carry out other Cross-Site Request Forgery (CSRF) attacks.

Once the vulnerability was identified, the plugin developers fixed the issue and released an updated plugin (V2.3.7). Provided you’re using V2.3.7 or a later version, your site will be protected against this vulnerability.

One thing to note is that this attack was only tested in All in One SEO Pack version 2.3.6.1. Older versions ove the plugin might be vulnerable as well. In this case, updating to the latest version is advised.

It pays to regularly update your WordPress version and plugins so that you’re minimizing potential attack vectors on your blog.

Tagged with:

Filed under: WordPress Security