Major Exploits Found in All in One SEO Pack WordPress Plugin

All in One SEO Pack

If you use the popular "All in One SEO Pack" WordPress plugin, you should update immediately. Two vulnerabilities and one cross-site scripting (XSS) flaw have been discovered.

Sucuri, a web monitoring and malware cleanup service was the first to spot the exploits.

If you're an All in One SEO Pack plugin user and don't update, the best case scenario could be finding yourself removed from Google's search index for spamming. And because a malicious user could change the title, description, and keyword meta tags, it opens up websites to having that information changed by unauthorized third parties.

However, another exploit is much more dangerous for website owners:

...we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more "evil" activities later.

The WordPress plugin has more than 18 million downloads, which means a large number of WordPress-based websites are potentially vulnerable, especially if webmasters don't take advantage of automatic updates.

Along with WordPress SEO by Yoast, the All in One SEO Pack is one of the most popular WordPress SEO plugins.

The updated All in One SEO Pack plugin can be downloaded here. As yet, the plugin's creator hasn't made any comment about the situation on his Twitter account or websites.

About the author

Jennifer Slegg began as a freelance writer, and turned to search engine optimization and writing content for the web in 1998. She has created numerous content-rich sites in niche markets and works with many clients on content creation, strategy, and monetization. She writes about many search industry and social media topics on her blog, and is a frequent speaker at search industry conferences on SEO, content marketing and content monetization. Acknowledged as the leading expert on the Google AdSense contextual advertising program, she runs JenSense, a blog dealing exclusively with contextual advertising. She is also the founder and editor of The SEM Post. She is known by many as her handle Jenstar on various webmaster forums.