AAPL Stock: 110.31 ( + 0.81 )

Printed from

High-usage Wordpress SEO plug-in flagged for security vulnerability

updated 07:15 pm EDT, Mon June 2, 2014

Popular page SEO plug-in open to permissions vulnerability, injected code

Wordpress users with search engine optimization (SEO) tools may want to considering doing an update, as one of the most widely used plug-ins has been found to vulnerable to attack. All in One SEO Pack, a plug-in with over 18.5 million downloads on, could potentially allow for an attacker to escalate their privileges from a low-level user account, and carry out cross-site scripting attacks.

Marc-Alexandre Montpas, a security researcher from Sucuri, found that vulnerabilities in the plug-in could be used to inject malicious code into a Wordpress administration panel. This code would then be executed anytime a user would log into the wp-admin control panel. Any user, from administrators to site subscribers, could trigger the injected code once it is in place.

Users, including ones from an open registration, can manipulate SEO parameters including keyword tags, SEO title and description. At the most basic level, the vulnerability in the plug-in doesn't amount to much of a problem -- since it would just decrease position on a search results page. However, it can be used in conjunction with another bug to do more serious damage.

"We also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator's control panel," said Montpas. "Now, this means that an attacker could potentially inject any Javascript code and do things like changing the admin's account password to leaving some backdoor in your website's files in order to conduct even more 'evil' activities later."

Since this attack can be done with an account that someone can sign up for on their own rather than being assigned, it creates a large issue for Wordpress users. All-in-One SEO Pack has since issued an update to version 2.1.6 that fixes the vulnerabilities. If there is a website that runs the plug-in, it is suggested that they update to the latest version immediately to avoid unwanted activity. The plug-in can be upgraded through the administration panel in Wordpress, or downloaded from

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented