Printed from http://www.electronista.com

High-usage Wordpress SEO plug-in flagged for security vulnerability

updated 07:15 pm EDT, Mon June 2, 2014

Popular page SEO plug-in open to permissions vulnerability, injected code

Wordpress users with search engine optimization (SEO) tools may want to considering doing an update, as one of the most widely used plug-ins has been found to vulnerable to attack. All in One SEO Pack, a plug-in with over 18.5 million downloads on Wordpress.com, could potentially allow for an attacker to escalate their privileges from a low-level user account, and carry out cross-site scripting attacks.

Marc-Alexandre Montpas, a security researcher from Sucuri, found that vulnerabilities in the plug-in could be used to inject malicious code into a Wordpress administration panel. This code would then be executed anytime a user would log into the wp-admin control panel. Any user, from administrators to site subscribers, could trigger the injected code once it is in place.

Users, including ones from an open registration, can manipulate SEO parameters including keyword tags, SEO title and description. At the most basic level, the vulnerability in the plug-in doesn't amount to much of a problem -- since it would just decrease position on a search results page. However, it can be used in conjunction with another bug to do more serious damage.

"We also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel," said Montpas. "Now, this means that an attacker could potentially inject any Javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more 'evil' activities later."

Since this attack can be done with an account that someone can sign up for on their own rather than being assigned, it creates a large issue for Wordpress users. All-in-One SEO Pack has since issued an update to version 2.1.6 that fixes the vulnerabilities. If there is a website that runs the plug-in, it is suggested that they update to the latest version immediately to avoid unwanted activity. The plug-in can be upgraded through the administration panel in Wordpress, or downloaded from Wordpress.com.



By Electronista Staff
toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Advertisement

Recent Reviews

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, it's not exactly something most people put a lot of thought into. Printers are often touted as f ...

Moshi iVisor AG and XT for iPad Air 2

Have you ever tried to put in a screen protector that relies on static to cling to the screen? How many bubbles and wrinkles does it h ...

Epson PowerLite Home Cinema 3500 projector

Trying to find the perfect projector for a home theater can be tricky, as there are bountiful options on the market from a large numbe ...

Advertisement

toggle

Most Commented

 
toggle

Popular News