Printed from http://www.electronista.com

High-usage Wordpress SEO plug-in flagged for security vulnerability

updated 07:15 pm EDT, Mon June 2, 2014

Popular page SEO plug-in open to permissions vulnerability, injected code

Wordpress users with search engine optimization (SEO) tools may want to considering doing an update, as one of the most widely used plug-ins has been found to vulnerable to attack. All in One SEO Pack, a plug-in with over 18.5 million downloads on Wordpress.com, could potentially allow for an attacker to escalate their privileges from a low-level user account, and carry out cross-site scripting attacks.

Marc-Alexandre Montpas, a security researcher from Sucuri, found that vulnerabilities in the plug-in could be used to inject malicious code into a Wordpress administration panel. This code would then be executed anytime a user would log into the wp-admin control panel. Any user, from administrators to site subscribers, could trigger the injected code once it is in place.

Users, including ones from an open registration, can manipulate SEO parameters including keyword tags, SEO title and description. At the most basic level, the vulnerability in the plug-in doesn't amount to much of a problem -- since it would just decrease position on a search results page. However, it can be used in conjunction with another bug to do more serious damage.

"We also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel," said Montpas. "Now, this means that an attacker could potentially inject any Javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more 'evil' activities later."

Since this attack can be done with an account that someone can sign up for on their own rather than being assigned, it creates a large issue for Wordpress users. All-in-One SEO Pack has since issued an update to version 2.1.6 that fixes the vulnerabilities. If there is a website that runs the plug-in, it is suggested that they update to the latest version immediately to avoid unwanted activity. The plug-in can be upgraded through the administration panel in Wordpress, or downloaded from Wordpress.com.



By Electronista Staff
toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Patriot Supersonic Rage XT 128GB USB drive

USB thumb drives are getting larger by the day, their growth speeding along with the availability and expansion of memory chips. But h ...

Crucial MX100 256GB SATA-3 SSD

While the price-per-gigabyte ratio for magnetic platter-based hard drives can't be beat, the speed that a SSD brings to the table for ...

Narrative Clip

With the advent of social media technology, people have been searching for new ways to share the events of their daily lives -- be it ...

Sponsor

toggle

Most Commented

 
toggle

Popular News