One of the most popular SEO plugins has become vulnerable and allowing any user to have access to create posts can create an admin user account and take over the site.
All in One SEO is one of the most popular SEO plugins that help users in doing On-Page Optimisation. The plugin has 2M+ users and it was updated 2 days ago to fix the same vulnerability. An All in One user must update the plugin to get the fix.
Stages in XSS Attack using All in One SEO Plugin
1. No of Users Before XSS Attack (Remember)
2. Contributor/Author create a post with Malicious Script in Yoast SEO Title and Description
3. Attack Script Executed (Execution Needed only for Contributors)
2. Admin user got created After XSS Code Execution
Who is vulnerable?
1. Websites having untrusted Users registered with “Create Post” Capability
Create post capability is often given to “Author”, “Editor”, “SEO”, “Contributor” and etc.
2. Website Open for Registration where registered users can create a post.
WordPress Websites that uses AllInOne SEO and has registration open for contributor or any user type that can create a post.
Note: WordPress Websites that use AllInOne SEO and have registration open for contributors can be in the target as WordPress version or all in one SEO plugin version can be easily found with a reverse search on Google and website using this specific plugin should immediately update.
Who is not vulnerable?
Website Owners who maintaining the site on their own and do not have registration open for others.
What was the bug?
The developer wasn’t sanitizing the meta title, description to remove any script tag or an invalid HTML code that can cause XSS attack.
History of vulnerabilities in All in One SEO
Funnily, the attacks in a series of years and it looks like the developers aren’t cautious and haven’t learned enough to protect their users.
Alternate Trusted Plugins
There are many other better plugins having rick features in the market. One of the most popular is rank math and the 2nd most popular right now is Yoast SEO.
TheDigitalHacker appreciates contributors like rank math who has committed to maintaining all the existing features like, export, import, search console analytics for free in the future. The plugin combines features on All in One Rich Snippet, Schema, Redirection, and many other features for free with a hassle-free integration.
|All In One SEO Alternate Trusted Plugins|
|YoastSEO||Free & Paid||Good enough|
WordPress is the most popular content management system backed by more than 50000 free plugins and paid plugins. WordPress share 63% among the whole CMS market and 37% on the whole worldwide web.
=== Update ===
July 10, 2020 – Initial discovery and analysis of vulnerability. Firewall rule was released for Wordfence Premium customers. Initial outreach to the Semper plugin team.
July 13, 2020 – The lead developer at Semper confirms an appropriate discussion channel. We provide full disclosure.
July 15, 2020 – A patch was released (version 3.6.2).
August 9, 2020 – Free Wordfence users receive firewall rule.
Status of Vulnerability?
Fixed: On July 15, the contributors of the plugin have fixed the issue and pushed an update to the WordPress plugin repository.
- Status: Fixed
- Version: 3.6.1 ==> Version: 3.6.2
- Last updated: 2 days ago
- Active installations: 2+ million
- WordPress Version:4.9 or higher
- Tested up to 5.4.2
- PHP Version: 5.2.4 or higher
SEJ, Wordfence, All In One SEO WordPress Plugin