Older versions of the popular WordPress Plugin All in One SEO contain a vulnerability that allows an attacker to store malicious code in the admin panel that could potentially help them take over the administration of the website.
This plug-in (All in One SEO) helps page managers improve SEO (Search Engine Optimization) with too many settings.
One of these settings is called Bot Blocker and allows administrators to decide which one machine search engine is allowed to access their site. This setting is disabled by default, so there is no need to worry for plugin users.
If now someone uses this feature, according to security researcher David Vaartjes, the plugin records these bot visits, without cleaning the text present in the User Agent.
So if an attacker can change these attributes by appending malicious code, (of course knowing which bot is blocked on the site) then the attack is successful.
Although too many parameters will have to match for the attack to complete successfully, don't wait, upgrade to the next version...