In an interesting development, it’s been found that there’s a security vulnerability in older versions of the popular All In One SEO Pack plugin. (Note: this plugin is not used in the blogs we build here at Top Design Blogs).
The vulnerability allows an attacker to store malicious code in the website’s Admin panel that could potentially help them take over the website.
The plugin is still one of the most popular in use and appears on the WordPress Plugin Directory’s Popular section. So a huge number of blogs could be at potential risk here.
All In One SEO Pack helps webmasters improve their site’s Search Engine Optimization (SEO) features through a series of on/off settings.
The Bot Blocker Issue
One of those settings is called Bot Blocker which allows users to decide which search engine crawlers to block from accessing and crawling their site. The setting is off by default so fewer sites are at risk as a result.
If the option has been enabled, then the plugin logs all rejected bots and when they visited a site.
The problem is that when info is logged, the text included in the User Agent strings and Referrer headers sections is not sanitized so malicious code can be hidden there.
Exploiting The Vulnerability Is Easy
All an attacker/hacker has to do is to add malicious code to the end of these strings for a bot that they know is being blocked by the site.
This malicious code gets stored in the WordPress site’s database and automatically executed when the admin visits the log page.
Once the vulnerability was identified, the plugin developers fixed the issue and released an updated plugin (V2.3.7). Provided you’re using V2.3.7 or a later version, your site will be protected against this vulnerability.
One thing to note is that this attack was only tested in All in One SEO Pack version 18.104.22.168. Older versions ove the plugin might be vulnerable as well. In this case, updating to the latest version is advised.
It pays to regularly update your WordPress version and plugins so that you’re minimizing potential attack vectors on your blog.
Filed under: WordPress Security