SEO plugin for wordpress websites contains flaws that leads to serious vulnerabilities
WordPress users of the popular 'All in One SEO Pack' plug-in are at risk of compromise if their developers fail to upgrade to the newly released version that fixes the problem.
The 'all in One SEO Pack' plug-in for wordpress websites optimises content to be indexed more efficiently by search engine crawlers which creates a better rank in the search results. figures from the official WordPress add-ons repository indicate the plug-in has been downloaded 18.5 million times.
Ultimately an attacker could insert a backdoor into the website that can then be used at a later date for malicious intent. Other immediate threats such as the alteration of passwords is also possible.
The web security firm Sucuri found flaws in the 'All in One SEO Pack' plug-in that allows attackers without administrative WordPress accounts to increase their privileges and inject malicious content. The Sucuri analysts said in a recent blogpost that "If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk, so you have to update the plugin now."
WordPress sites are well known for being attacked over the years especially via third party components such as plug-ins.
WordPress developers are advised to upgrade the "All in One SEO Pack" plug-in to version 2.1.6 available at the WordPress add-ons repository.
Have you been affected by attacks through the 'All in One SEO Pack' plug-in ? Need help, visit our ask an expert.