Trouble detected with popular WordPress SEO plug-in

Users of the ‘All in One SEO Pack’ plugin for WordPress are being told to update their settings immediately, after flaws with the application were found.

According to Sucuri there are two flaws, each of which could have a different impact on corporate users and their newsfeeds.

The first, less dangerous, flaw could result in blogs being removed from Google’s spam search index. The issue could also result in unauthorised action being taken to modify the essentials of a page, such as page title, meta-tags and description.

However, this is not the biggest worry according to the clean-up service provider. Instead, there is a bug that could, potentially, be used to run harmful Javascripts.

In a statement, Sucuri said:

“Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.”

In a later blog post, one of Sucuri’s analyst web developers, Marc-Alexandre Montpas, said that any site with authors, non-admin and subscribers were at risk.

It is hoped that most of the users using the plug-in pack would have signed up for automatic updates, which will provide a fix to the problem. However, with about 19 million downloads of the tool, it is likely that a significant number of business blogs will remain vulnerable.

Anyone not running them automatically is advised to install the update released at the weekend, which patches the two vulnerabilities.

Leave a Reply