There is a serious stored cross site scripting (XSS) vulnerability in All in One SEO Pack Plugin versions 2.3.6.1 and older. This plugin is installed on over 1 million active websites and is extremely popular and widely used. The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site. This vulnerability is only exploitable on sites that have the “Track Blocked Bots” setting enabled. This setting is not enabled by default. We do not have definitive data to indicate how many users of the plugin have enabled this feature. However, this plugin is extremely popular: All in One SEO Pack has been downloaded over 28 million times (this includes upgrades) It has been around for over 9 years It is one of the most downloaded WordPress plugins. Contrary to its claim of being the most downloaded WordPress plugin, Akismet, Yoast SEO and Contact Form 7 have more downloads. This attack has a CVSS score of 8.8 (High), however due to the extremely
Share This

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.