NewsSecurity & Vulnerability

A WordPress SEO plugin with 2M installs is vulnerable and creates Admin user without Permission

One of the most popular SEO plugins has become vulnerable and allowing any user to have access to create posts can create an admin user account and take over the site.

About Plugin

All in One SEO is one of the most popular SEO plugins that help users in doing On-Page Optimisation. The plugin has 2M+ users and it was updated 2 days ago to fix the same vulnerability. An All in One user must update the plugin to get the fix.

Stages in XSS Attack using All in One SEO Plugin

1. No of Users Before XSS Attack (Remember)

A WordPress SEO plugin with 2M installs is vulnerable and creates Admin user without Permission 2

2. Contributor/Author create a post with Malicious Script in Yoast SEO Title and Description

A WordPress SEO plugin with 2M installs is vulnerable and creates Admin user without Permission 3

 

3. Attack Script Executed (Execution Needed only for Contributors)

A WordPress SEO plugin with 2M installs is vulnerable and creates Admin user without Permission 4

2. Admin user got created After XSS Code Execution

After XSS Attack

Who is vulnerable?

 

1. Websites having untrusted Users registered with “Create Post” Capability

 

Create post capability is often given to “Author”, “Editor”, “SEO”, “Contributor” and etc.

 

2. Website Open for Registration where registered users can create a post.

 

WordPress Websites that uses AllInOne SEO and has registration open for contributor or any user type that can create a post.

Note: WordPress Websites that use AllInOne SEO and have registration open for contributors can be in the target as WordPress version or all in one SEO plugin version can be easily found with a reverse search on Google and website using this specific plugin should immediately update.

Who is not vulnerable?

Website Owners who maintaining the site on their own and do not have registration open for others.

What was the bug?

The developer wasn’t sanitizing the meta title, description to remove any script tag or an invalid HTML code that can cause XSS attack.

History of vulnerabilities in All in One SEO

This was not the first time All in One SEO has vulnerability but also back in 2018, 2016 and 2014.

Funnily, the attacks in a series of years and it looks like the developers aren’t cautious and haven’t learned enough to protect their users.

Alternate Trusted Plugins

There are many other better plugins having rick features in the market. One of the most popular is rank math and the 2nd most popular right now is Yoast SEO.

TheDigitalHacker appreciates contributors like rank math who has committed to maintaining all the existing features like, export, import, search console analytics for free in the future. The plugin combines features on All in One Rich Snippet, Schema, Redirection, and many other features for free with a hassle-free integration.

All In One SEO Alternate Trusted Plugins
Plugin Name Price Feature
RankMath Free Very Rich
YoastSEO Free & Paid Good enough

About WordPress

WordPress is the most popular content management system backed by more than 50000 free plugins and paid plugins. WordPress share 63% among the whole CMS market and 37% on the whole worldwide web.

=== Update ===

Disclosure Timeline

July 10, 2020 – Initial discovery and analysis of vulnerability. Firewall rule was released for Wordfence Premium customers. Initial outreach to the Semper plugin team.
July 13, 2020 – The lead developer at Semper confirms an appropriate discussion channel. We provide full disclosure.
July 15, 2020 – A patch was released (version 3.6.2).
August 9, 2020 – Free Wordfence users receive firewall rule.

src: wordfence

Status of Vulnerability?

Fixed: On July 15, the contributors of the plugin have fixed the issue and pushed an update to the WordPress plugin repository.

Meta Information

  • Status: Fixed
  • Version: 3.6.1 ==> Version: 3.6.2
  • Last updated: 2 days ago
  • Active installations: 2+ million
  • WordPress Version:4.9 or higher                   
  • Tested up to 5.4.2
  • PHP Version: 5.2.4 or higher                   

Research Sources:

SEJ, Wordfence, All In One SEO WordPress Plugin

 

Tags

TheDigitalHacker

thedigitalhacker.com is an independent organization publishing news and information about data breach, hacking, bad actors in the industry, Our goal is to keep you updated with the latest happenings in the tech industry. You can report a breach anonymously with our report form
Back to top button
Close
Close