The Hacker News
Multiple Serious vulnerabilities have been discovered in the most famous 'All In One SEO Pack' plugin for WordPress, that put millions of Wordpress websites at risk.

WordPress is easy to setup and use, that's why large number of people like it. But if you or your company is using 'All in One SEO Pack' Wordpress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6.

Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.
Cybersecurity

More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization.

According to Sucuri, the reported privilege escalation vulnerabilities allow an attacker to add and modify the WordPress website's meta information, that could harm its search engine ranking negatively.
"In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post's SEO title, description and keyword meta tags." Sucuri said.
Also the reported cross-site scripting vulnerability can be exploited by malicious hackers to execute malicious JavaScript code on an administrator's control panel. "This means that an attacker could potentially inject any JavaScript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more "evil" activities later." Sucuri blog post said.

Vulnerability in WordPress plugins is the root cause for the majority of WordPress exploitation and this is one of the main tools in the web hackers' arsenal. The plugin vulnerabilities could be exploited to access sensitive information, deface websites, redirect visitors to any malicious site, or to perform DDoS attacks.

Till now, we haven't seen any web attacks conducted by exploiting these vulnerabilities in the wild, but WordPress website owners are recommended to update their All in One SEO Pack Wordpress plugin to the latest version immediately.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.