Warning: The popular All in One SEO Pack WordPress plugin has been deemed vulnerable to privilege escalation and cross site scripting attacks. All versions of the plugin prior to the recently released 2.1.6 are affected. To mitigate this threat, download version 2.1.6 as soon as possible.
Privilege Escalation
The discovered privilege escalation vulnerability allows WordPress users to modify your website’s SEO components without needing administrator permissions. A malicious actor could do so to negatively impact your website’s search engine ranking.
Cross Site Scripting
The discovered cross site scripting (XSS) vulnerability allows an attacker to inject malicious Javascript code into a WordPress administrator’s control panel. That code could be designed to perform any number of malicious actions, including the installation of a backdoor for monitoring purposes.
Ensuring Protection
The most immediate method of threat mitigation is to download the official plugin update to version 2.6.1. Additionally, you should evaluate how users interact with your WordPress site. Disabling open registration can increase your site’s security and can help protect it from future threats of this nature.
More details on these vulnerabilities can be found at the Sucuri Blog.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a Great (Malware-Free) Day!