Over three million WordPress websites are at risk! This is due to a vulnerability in the All In One SEO Pack ( AIOSEO ) plugin.
If you use this plugin, you must listen to this article to the end. Because here, we will explain the security holes that were recently found in the All In One SEO Pack plugin as well as how to overcome them.
Without further ado, here is the complete information!
All-In-One SEO Pack Plugin Vulnerability
On January 26, 2023, security service provider Wordfence published a security issue with the All In One SEO Pack plugin. Not just one, but two vulnerabilities haunt the plugin!
According to Wordfence, the vulnerabilities scored 6.4 and 4.4 (medium) respectively. Furthermore, the two vulnerabilities above attack the All In One SEO Pack plugin version 4.2.9 and below.
As info, All In One SEO Pack is one of the best WordPress SEO plugins to help you optimize your website’s SEO, so you can get more traffic.
Besides that, how to set the All In One SEO Pack is also fairly easy. So it’s no wonder, this plugin has been installed on more than 3 million WordPress websites, and gets a rating of 4.7.
Unfortunately, this is not the first time the All In One SEO Pack plugin has been plagued with vulnerability issues. Last year, the All In One SEO security flaw landed in several versions between 4.00 and 4.1.5.2.
Back again, the two vulnerability issues of the All In One SEO Pack this time are of the Stored Cross-Site Scripting (XSS) type. Stored XSS is quite troubling because it can attack websites with malicious scripts.
Do you want to know the details? Let’s just scroll down!
Read also: 10 Best WordPress Slider Plugin Recommendations
Stored Cross-Site Scripting di All In One SEO Pack
Here are the full explanations of the two Stored XSS vulnerabilities that threaten the All In One SEO Pack plugin:
1. Authenticated Contributor Level Stored XSS
Affected version: 4.2.9 and earlier
Vulnerability score: 6.4 (medium)
The first Stored XSS vulnerability allows users with at least the Contributor access level to inject code that threatens websites. How come?
Basically, the All In One SEO Pack provides several forms that need to be filled out when you optimize pages or posts. For example, SEO Titles, Meta Descriptions, and several others.
However, the forms above do not strictly validate the input data. As a result, users who have access to the WordPress editor, such as Contributors, can inject JavaScript code into some of these forms.
Later, the malicious script will be executed in the browser when the website administrator edits the contributor’s post. This is proven by the following simple test results from Wordfence:
2. Authenticated Administrator Level Stored XSS
Affected version: 4.2.9 and earlier
Vulnerability score: 4.4 (medium)
Just like the first point, this Stored XSS problem also allows irresponsible users to add code containing malware to websites. The difference is that this vulnerability requires at least Administrator access rights.
Here, website administrators can modify settings on the Search Appearance and Social Networks menus, as well as input malicious scripts into them.
If the site manager edits or views the list of posts, the code will be automatically executed. So, here are the results of Word fence’s experiment on Stored XSS Level Administrators:
Wow, how scary are the two XSS vulnerability issues in this All In One SEO Pack plugin? Fortunately, this problem has been successfully resolved. How to?
The answer is in the next point!
Read also: 10+ Best Free WordPress Membership Plugins
Update Plugin All In One SEO Pack to the latest Version!
After a few days, on February 6 2023 to be precise, the developer updated the All In One SEO Pack plugin to version 4.3.0. This update is focused on addressing security issues in previous versions.
In fact, now the All In One SEO Pack version 4.3.2 is available with more guaranteed security. If you install the plugin, we strongly recommend that you update to the latest version so that your WordPress website is always protected.
You can update plugins manually through the Updates menu available on the WordPress dashboard.
If you are lazy to update plugins manually, there is still an automatic option. You do this by activating WordPress Auto Update.
Check out the following info to make your WordPress website safer!
The All In One SEO Pack plugin is again plagued with security issues. Fortunately, by updating the plugin to the latest version, the existing vulnerability issues have been successfully resolved.
Even so, updating plugins regularly is only one of many ways to keep your WordPress website secure. There are still some things you need to do, such as changing passwords regularly or installing security plugins.
