A recently discovered exploit in the All-in-One SEO pack makes it possible for malicious users to take control of a website that uses the utility. Word Fence mentions that up to two million users may be affected by the exploit . The exploit uses a cross-site scripting vulnerability to gain access to the website’s back end. WordPress sites usually store their content directly on the server, and the exploit allows malicious actors to get direct access to all the data stored on the content management system.
How The Vulnerability Works
A cross-site scripting exploit (also known as an XSS exploit) relies on input forms within a field. As OWASP describes, an XSS exploit is used to upload malicious scripts onto otherwise safe and trusted websites. Usually, input fields that aren’t adequately sanitized can be used to upload the text to the back end of the site. This text 9which is a complete script) is then stored in the SEO Title or SEO Description field. When a user loads the page, the browser executes the script, unaware of its malicious nature, leading to the user’s system becoming compromised.
The vulnerability has been flagged as a medium-level threat since it still requires the malicious user to login to the site with contributor credentials. Reports have noted that the exploit primarily affects the SEO title and SEO description areas of the page. The news reports also highlight that all versions of All-in-One SEO (up to version 3.6.1.) are vulnerable to the exploit.
Discovery of the Vulnerability
Researchers discovered the exploit on July 10th, 2020, and notified the company of the issue with their plugin. The vulnerability was isolated, and a patch was released a mere five days later. The changelog for All-in-One SEO notes that they included sanitization for their input field for a more stable and secure environment. This fix was a direct response to this particular exploit.
Should I be Worried?
While the exploit itself is dangerous, users who don’t have contributors turned on for their blogs shouldn’t encounter an issue. Even so, you are encouraged to update your All-in-One SEO to version 3.6.2 as soon as possible. The need for user credentials to cause havoc within a user’s website is still a major stumbling block. For some malicious users, gaining these credentials usually requires social engineering of contributors on the site. If the site is a single-user site or a personal blog, then as long as no one gets your login credentials from you, you should remain unbothered.
What Does This Mean for My SEO?
If you use All-in-One SEO for better visibility and have many contributors, you should update immediately. The exploit is not going away, and avoiding the update will simply push back the problem until a breach occurs. Alternatively, you could look at other suppliers such as Yeah! Local and take advantage of their SEO services. SEO is an integral part of getting visitors to your website, and being scared about someone getting access to it and infecting visitors is a serious concern. The company’s response time was impressive, but unless you update your plugin, it may be all for nothing.