If you are running a WordPress website, and you have the popular All in One SEO Pack plugin installed on that site then it would be a good idea to update the plugin as soon as possible. A new version of the plugin was released on Friday which fixes a flaw that could let a hacker hijack the site’s admin account, and take control of the entire site.
You can update the plugin from your WordPress site’s “Updates” menu. (Or, I can help you with it.)
The flaw was first identified by security researcher David Vaartjes, and he says that a hacker can exploit the plugin’s Bot Blocker option by sending HTTP requests with specifically crafted headers to the site.
This feature was intended to detect spam bots and block them, and there’s also an option for logging the bots when they visit. It’s called “Track Blocked Bots”, and when it’s enabled it will display all bot visits in a widget on the site’s admin page.
A “session token” is like a bookmark which websites use to identify a logged in user, and if an attacker copies the token into their own web browser they can trick the site into thinking that the attacker is an authorized user.
This is bad news even if the attacker only gains control of a low-level account, but it would be terrible if the hacker compromises an admin account. They could lock everyone else out, insert links to other sites or rewrite content, or attack visitors with malware.
If you have this plugin, you should update it right away.
image by perspec_photo88