There is a serious stored cross site scripting (XSS) vulnerability in All in One SEO Pack Plugin versions 22.214.171.124 and older. This plugin is installed on over 1 million active websites and is extremely popular and widely used.
The vulnerability is in the plug-in's Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.
The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site.
The Bot Blocker feature is designed to detect and block spam bots based on their user agent and referer header values, according to security researcher David Vaartjes, who found and reported the issue.This vulnerability is only exploitable on sites that have the “Track Blocked Bots” setting enabled. This setting is not enabled by default. There is no definitive data to indicate how many users of the plugin have enabled this feature. However, this plugin is extremely popular:
- All in One SEO Pack has been downloaded over 28 million times (this includes upgrades)
- It has been around for over 9 years
- It is one of the most downloaded WordPress plugins. But Akismet, Yoast SEO and Contact Form 7 have more downloads.
How to Prevent :
If you're running a WordPress website and you have the hugely popular plug-in installed, it's a good idea to update All in One SEO Pack version 2.3.7 as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the site's admin account.
Bezoar Software customers are already protected against exploitation of this vulnerability. We are offering a simple and hands off WordPress maintenance service . We not only keep your WordPress website up to date, but we become a virtual team that handles many issues that may come up on your behalf.