Wordfence’s Threat Intelligence team recently identified a vulnerability in the All In One SEO WordPress plugin, which is installed on more than 2 million websites. This exploit would allow users with contributor level access to inject malicious scripts that could be executed if a user accessed the wp-admin panel’s all posts’ page. The WordPress SEO plugin offers users a wide range of SEO features that help a website better rank on search engines like Google and Bing.
The Wordfence team contacted the All In One SEO Plugin’s team and a patch was created within a few days.
“We reached out to the plugin’s team the same day of discovery on July 10, 2020 and a patch was released just a few days later on July 15, 2020.”
All In One SEO Plugin users will need to update to the the latest version to be safe from potential attacks. If you are one of the 2 million All In One SEO plugin users, you need to update to version 3.6.2, which includes added functionality ensuring that any injected code is unable to become an executable script.
“This is considered a medium severity security issue that, as with all XSS vulnerabilities, can result in complete site takeover and other severe consequences. We strongly recommend immediately updating to the latest version of this plugin. At the time of writing, that is version 3.6.2 of All in One SEO Pack.”
Read the more about the All In One SEO Plugin Vulnerability at Wordfence: 2 Million Users Affected by Vulnerability in All in One SEO Pack