Older versions of the popular WordPress Plugin All in One SEO περιέχουν μια ευπάθεια που επιτρέπει σε έναν εισβολέα να αποθηκεύσει κακόβουλο κώδικα στο admin panel που θα μπορούσε ενδεχομένως να τον βοηθήσει να αναλάβει την διαχείριση της ιστοσελίδας.
This particular plugin (All in One SEO) helps page managers to improve SEO (Search Engine Optimization) with too many settings.
One of these settings is called Bot Blocker and allows administrators to decide which machine searchs is allowed to access their website. This setting is disabled by defaultchoice, so there's no need to worry for plugin users.
Now that someone is using this feature, according to security researcher David Vaartjes, the plugin records these bots visits without clearing the text in the User Agent.
So if an attacker can change these attributes by appending malicious code, (of course knowing which bot is blocked on the site) then the attack is successful.
Although too many parameters will have to match for the attack to complete successfully, don't wait, upgrade to the next version...