Vulnerability in the All in One SEO WordPress plugin allows XSS

Older versions of the popular WordPress All-In-One SEO plugin contain a vulnerability that allows an attacker to store malicious code in the admin panel that could potentially help him to take over the management of the site.WordPress All in One SEO

This plug-in (All in One SEO) helps page managers improve SEO (Search Engine Optimization) with too many settings.

One of these settings is called Bot Blocker and allows administrators to decide which search engine is allowed to access their site. This setting is off by default, so there is no reason to worry about plugin users.

Now that someone is using this feature, according to security researcher David Vaartjes, the plugin records these bots visits without clearing the text in the User Agent.

So if an attacker can change these attributes by appending malicious code, (of course knowing which bot is blocked on the site) then the attack is successful.

Although many parameters must be matched to successfully complete the attack, do not wait, upgrade to the next version…

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.098 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).