toggle

AAPL Stock: 112.76 ( -0.53 )

Printed from http://www.macnn.com

High-usage Wordpress SEO plug-in flagged for security vulnerability

updated 07:15 pm EDT, Mon June 2, 2014

Popular page SEO plug-in open to permissions vulnerability, injected code

Wordpress users with search engine optimization (SEO) tools may want to considering doing an update, as one of the most widely used plug-ins has been found to vulnerable to attack. All in One SEO Pack, a plug-in with over 18.5 million downloads on Wordpress.com, could potentially allow for an attacker to escalate their privileges from a low-level user account, and carry out cross-site scripting attacks.

Marc-Alexandre Montpas, a security researcher from Sucuri, found that vulnerabilities in the plug-in could be used to inject malicious code into a Wordpress administration panel. This code would then be executed anytime a user would log into the wp-admin control panel. Any user, from administrators to site subscribers, could trigger the injected code once it is in place.

Users, including ones from an open registration, can manipulate SEO parameters including keyword tags, SEO title and description. At the most basic level, the vulnerability in the plug-in doesn't amount to much of a problem -- since it would just decrease position on a search results page. However, it can be used in conjunction with another bug to do more serious damage.

"We also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel," said Montpas. "Now, this means that an attacker could potentially inject any Javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more 'evil' activities later."

Since this attack can be done with an account that someone can sign up for on their own rather than being assigned, it creates a large issue for Wordpress users. All-in-One SEO Pack has since issued an update to version 2.1.6 that fixes the vulnerabilities. If there is a website that runs the plug-in, it is suggested that they update to the latest version immediately to avoid unwanted activity. The plug-in can be upgraded through the administration panel in Wordpress, or downloaded from Wordpress.com.




by MacNN Staff

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

Follow us on Facebook

toggle

Most Popular

Advertisement

Recent Reviews

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...

MSI Geforce GTX 970 100ME

When Nvidia announced a new line of video cards in September 2014, many people thought things would continue to be business as usual i ...

toggle

Most Commented