All in One SEO Pack plugin has a security flaw, Please update it right now

If you are running a WordPress website, and you have the popular All in One SEO Pack plugin installed on that site then it would be a good idea to update the plugin as soon as possible. A new version of the plugin was released on Friday which fixes a flaw that could let a hacker hijack the site’s admin account, and take control of the entire site.

You can update the plugin from your WordPress site’s “Updates” menu. (Or, I can help you with it.)

The flaw was first identified by security researcher David Vaartjes, and he says that a hacker can exploit the plugin’s Bot Blocker option by sending HTTP requests with specifically crafted headers to the site.

This feature was intended to detect spam bots and block them, and there’s also an option for logging the bots when they visit. It’s called “Track Blocked Bots”, and when it’s enabled it will display all bot visits in a widget on the site’s admin page.

Hackers could use that widget to insert malicious JavaScript code into the page. The code will be run the next time that a site’s admin refreshes the page,  can steal their session tokens.

A “session token” is like a bookmark which websites use to identify a logged in user, and if an attacker copies the token into their own web browser they can trick the site into thinking that the attacker is an authorized user.

This is bad news even if the attacker only gains control of a low-level account, but it would be terrible if the hacker compromises an admin account. They could lock everyone else out, insert links to other sites or rewrite content, or attack visitors with malware.

If you have this plugin, you should update it right away.

image by perspec_photo88

PCWorld

Nate Hoffelder

View posts by Nate Hoffelder
After six plus years of running The Digital Reader, Nate is a veteran web publisher with experience in design, maintenance, recovery, and troubleshooting. What little he doesn't know, he can learn.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top
%d bloggers like this: