The United States National Vulnerability Database has issued an advisory regarding two vulnerabilities found in the All In One SEO WordPress plugin.
The All In One SEO (AIOSEO) plugin, which boasts over three million active installations, is vulnerable to two types of Cross-Site Scripting (XSS) attacks.
These vulnerabilities affect all versions of AIOSEO up to and including version 4.2.9.
Stored Cross-Site Scripting
Cross-site scripting (XSS) attacks are a type of injection exploit where malicious scripts are executed in a user’s browser. This can lead to access to cookies, user sessions, and even a site takeover.
The two most common forms of Cross-Site Scripting attacks are:
- Reflected Cross-Site Scripting
- Stored Cross-Site Scripting
A Reflected XSS attack involves sending a script to a user who clicks on it. The script is then reflected back to the user by the vulnerable site. A Stored XSS attack, on the other hand, occurs when the malicious script is stored on the vulnerable site itself.
Hackers exploit any form of input to the website, such as a contact form or image upload form, where users can submit data.
The vulnerability arises when security checks are insufficient to block unwanted inputs.
The two issues affecting the AIOSEO plugin are both Stored Cross-Site Scripting vulnerabilities.
CVE-2023-0585
Vulnerabilities are assigned numbers for tracking purposes. The first one has been assigned CVE-2023-0585.
This vulnerability stems from a failure to sanitize inputs, meaning insufficient filtering allows hackers to upload malicious scripts.
The National Vulnerability Database (NVD) describes it as follows:
“The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.
This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
This vulnerability has a threat level score of 4.4 out of ten, categorized as medium. An attacker must first gain administrator privileges or higher to exploit this issue.
CVE-2023-0586
This attack is similar to the first one, with the main difference being that the attacker needs a lower level of access, at least a contributor level.
A contributor-level role allows the creation of content but not its publication.
This vulnerability is also a medium-level threat but has a higher score of 6.4.
Description:
“The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping.
This makes it possible for authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
Recommended Action
The first vulnerability requires administrator level privileges and is scored at 4.4, a relatively low medium threat level. However, the second vulnerability only requires a lower level of privilege and is rated higher at 6.4.
It’s generally advisable to update all vulnerable plugins. The AIOSEO plugin version 4.3.0 contains the security fix, referred to in the official AIOSEO changelog as additional “security hardening.”
Read details of the two vulnerabilities:
- CVE-2023-0585
- CVE-2023-0586
Featured image by Shutterstock/Bangun Stock Productions
