WiredTree, a provider of managed server hosting, has warned WordPress users of the popular ‘All In One SEO Pack’ plugin to update to the most recent version as soon as possible. According to WiredTree, a flaw in versions older than 2.3.7 could leave sites vulnerable to a cross-site scripting attack that would allow malicious third-parties to take control.
The vulnerability – first reported by Wordfence on July 12 – was quickly fixed by the plugin’s developer, but WiredTree believes many sites may still be vulnerable. The hosting provider which hosts thousands of WordPress sites wants to raise awareness to reduce the chance of innocent site owners losing control of their websites.
“Cross-site scripting vulnerabilities occur because it’s difficult to sanitize every potential route by which a malicious user might inject code,” said Zac Cogswell, President of WiredTree. “As soon as this vulnerability was discovered, developers fixed the problem and made a patch available. We want to make sure that every WordPress site owner is aware of the problem, and takes the necessary steps to protect their site and their users.”
Cross-site scripting vulnerabilities are among the most common security issues for sites that accept user-generated content. In this case, the problem lies with functionality intended to block access to so-called bad bots. When the feature blocks a malicious bot, it displays the HTTP request sent by the bot in the WordPress site’s dashboard. Because the request is not sanitized, a maliciously crafted request could include code, which, when the dashboard is loaded by an administrator, would send sensitive data, including authentication cookies, to the attacker.
Mitigating the risk of the attack is simple, as WordPress site owners can easily update the plugin from their WordPress administrative dashboard.