Skip to content ↓ | Skip to navigation ↓

Researchers have identified multiple privilege escalation and cross-site scripting vulnerabilities in the popular WordPress Plugin All in One SEO Pack, which is currently estimated to be running on more than 15 million of the 73 million WordPress websites.

“While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks,” wrote Marc-Alexandre Montpas.

“In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.”

Montpas went on to explain that his team also discovered that the vulnerability can be used in combination with another flaw which could allow an attacker to execute malicious Javascript on an unpatched website’s administrator control panel.

“This means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more ‘evil’ activities later,” Montpas said.

“If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk. If you have open registration, you are at risk, so you have to update the plugin now… We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.”

Hacking Point of Sale
  • Oh! I really don't know about this great wordpress plugin. All in One SEO has Vulnerabilities? But what about the alternatives of this plugin such as Headspace etc.

  • James

    You share quality information about SEO and I really like whole stuff. Please keep posting this genre of informative articles.

  • techiv

    That doesn’t sound good. I never thought such can modify parameters used by the plugin. I would be very worried what the attacker can do. Thanks for the warning though. I’ll share this one to my friends.

  • edson

    As I am just starting to use SEO techniques this is very useful to me. Thanks for sharing.

  • avigau111

    First time i am reading about the vulnerabilities in all in one seo and thanks for guiding us about this.

  • swetha

    After reading this post I know the vulnerabilities of All in one SEO pack plugin, I'm going to remove this plugin from my wordpress website. could you suggest some other SEO plugin that won't affect website standards.

  • Hi,Thanks for the lovely article..I must say i have not tried this..But it looks like worth a shot…Will try this and hope to increase the traffic…fingers crossed

  • Bert

    As much as I love All in One SEO (it’s the first seo plugin I learned and used), as time went by, I was able to discover (from other users) how this plugin could slow you site down the more pages you optimize. I had to shift to another SEO plugin because of this.

  • I also used this All in One SEO plugin and all the features was awesome and easily to use . no other plugin require for seo while using this plugin .