A new vulnerability has been discovered in the All in One SEO Pack plugin, enabling attackers to gain full control of a website through a cross-site scripting (XSS) attack.
Cross-Site Scripting Vulnerability
Researchers have identified a cross-site scripting vulnerability, commonly referred to as XSS. This type of issue generally involves a compromised input interface. Therefore, any place where a user can input and upload content, images, or scripts must be "sanitized" to prevent the uploading of malicious scripts.
Typical entry points include comments and forms, though such exploits can also target sections of a site that are restricted to registered users. The vulnerability in All in One SEO Pack affects an area that requires posting privileges, classifying it as a medium-level vulnerability.
Is All in One SEO Pack Vulnerable?
Yes, All in One SEO Pack (versions 3.6.1 and earlier) is susceptible to an XSS exploit. The issue lies in the unsanitized input area, specifically the SEO title and SEO description fields. Here, a logged-in user with posting privileges can upload malicious scripts to gain administrative access, take over the site, or infect visitors.
While this sounds serious, it is considered a medium-severity vulnerability because it necessitates that a hacker obtain the log-in credentials of a registered user with posting privileges. To do this, a hacker might use social engineering tactics or exploit another plugin or theme vulnerability.
According to WordFence, the vulnerability could cause significant issues:
"Due to the JavaScript being executed whenever a user accessed the ‘all posts’ page, this vulnerability would be a prime target for attackers that are able to gain access to an account that allows them to post content. Since Contributors must submit all posts for review by an Administrator or Editor, a malicious Contributor could be confident that a higher privileged user would access the ‘all posts’ area to review any pending posts. If the malicious JavaScript was executed in an Administrator’s browser, it could be used to inject backdoors or add new administrative users and take over a site."
How the Vulnerability Was Discovered
Security researchers at WordFence discovered the vulnerability in All in One SEO Pack on July 10, 2020, and promptly informed the plugin’s publishers. The publishers immediately worked on addressing the issue and released a patch on July 15, 2020, just five days later. Premium users of the WordFence Security Plugin received a firewall rule update on the day of the vulnerability’s discovery, July 10, 2020.
The update to All in One SEO Pack was detailed in their changelog:
"Improved the output of SEO meta fields + added additional sanitization for security hardening"
Update All in One SEO Pack to 3.6.2
All users of the All in One SEO Pack are strongly encouraged to update their plugin to version 3.6.2 immediately. While this vulnerability is rated with medium severity, it is still crucial to patch the plugin to ensure site security.
Citation
Read the official WordFence announcement titled "2 Million Users Affected by Vulnerability in All in One SEO Pack."
