This WordPress SEO plugin might leave your website vulnerable to attack

If left unpatched, this security flaw could lead to complete site takeover

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Wordfence’s Threat Intelligence team has discovered a vulnerability in aWordPress plugininstalled on over two million sites called All In OneSEOPack.

If exploited, the flaw could allow authenticated users with contributor level access or higher to inject malicious scripts which are executed when a victim accesses the wp-admin panel’s ‘all posts’ page.

After discovering this medium severity security issue,Wordfencereached out to the plugin’s team and All In One SEO Pack received a patch to fix the issue just a few days later.

Users of the plugin should update to the latest version of All In One SEO Pack (3.6.2) immediately to avoid falling victim to any potential attacks that try to exploit the now patched vulnerability.

All In One SEO Pack

All in One SEO Pack is a WordPress plugin that provides severalSEOfeatures to help a site’s content rank higher onGoogleand other search engines.

As part of the plugin’s functionality, it allows users with the ability to create or edit posts to set an SEO title and description directly from a post as they are working on it. This feature is available to all users with the ability to create posts such as contributors, authors and editors.

Unfortunately before the plugin was patched, the SEO meta data for posts, which includes the SEO title and SEO description fields, had no input sanitization. This allows lower-level users like contributors and authors to inject HTML and malicious JavaScript code into those fields.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As the SEO title and SEO description for each post are displayed on the ‘all posts’ page, any values added to these fields would also be displayed there in an unsanitized format which would cause any saved scripts in these fields to be executed any time a user accessed this page.

In version 3.6.2 of All in One SEO Pack, the plugin’s developer has added sanitization to all of the SEO post meta values so that any code injected into them would be unable to become executable scripts.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Squarespace just launched its biggest update ever. I asked what that means for your business

Shopify just made it easier to access all your financial tools in one place

Latest Google Pixel update includes surprise launch of Android 15’s best battery feature