Older versions of the popular WordPress All-In-One SEO plugin contain a vulnerability that allows an attacker to store malicious code in the admin panel that could potentially help him to take over the management of the site.
This particular plugin (All in One SEO) helps page managers to improve SEO (Search Engine Optimization) with too many settings.
One of these settings is called Bot Blocker and allows administrators to decide which one machine searchis allowed to have access on their website. This setting is disabled by default, so there is no need to worry for plugin users.
Now that someone is using this feature, according to security researcher David Vaartjes, the plugin records these bots visits without clearing the text in the User Agent.
So if an attacker can change these attributes by attaching malicious code, (if of course he knows which bot is blocked on the site) then the attack he is successful.
Although many parameters must be matched to successfully complete the attack, do not wait, upgrade to the next version…
