Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

New Vulnerability in All in One SEO Pack Plugin 2.3.7 and earlier

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on July 13, 2016 by Dan Moen   13 Replies

Yesterday morning Panagiotis Vagenas, a Wordfence Security Researcher, discovered a new vulnerability in the All in One SEO Pack WordPress plugin. This is in addition to another serious vulnerability we wrote about yesterday morning in the same plugin.

As detailed yesterday, All in One SEO Pack is an extremely popular plugin with over 1,000,000 active installs. Both free and Premium Wordfence users with the firewall enabled had partial protection at the time we discovered this new vulnerability. A firewall rule that provides complete protection was added to the Threat Defense Feed yesterday morning.

The author released version 2.3.8 which fixes the vulnerability yesterday afternoon.

This unauthenticated stored XSS vulnerability allows an attacker to inject javascript code into a page that requires admin privileges to view. When a site admin visits the page, the malicious code that runs can perform administrative actions such as modifying existing user privileges, creating a new admin user or stealing admin session tokens.

This exploit only works if the user has enabled the sitemap module in the plugin. We have no way of estimating the percentage of All in One SEO Pack users who are vulnerable, but given the widespread use of the plugin and the importance of sitemaps for SEO, it is likely that 100s of thousands of sites are impacted.

CVSS Severity: 8.8 (High)

What to do

Premium Wordfence customers that have the firewall enabled are already completely protected by the firewall rule we added yesterday morning. Free Wordfence users running the All in One SEO Pack plugin should upgrade to version 2.3.8 immediately, and will receive a rule to completely protect against this vulnerability on August 11th.

In addition we encourage you to share this post with the broader WordPress community to create awareness of this serious security issue.

Did you enjoy this post? Share it!

13 Comments on "New Vulnerability in All in One SEO Pack Plugin 2.3.7 and earlier"

Jay July 13, 2016 at 9:45 am

No new updates have been released, atleast its not showing up in wordpress plugin page.

mark July 13, 2016 at 9:53 am

Please see: https://wordpress.org/plugins/all-in-one-seo-pack/

Michael Torbert July 13, 2016 at 10:09 am

The All in One SEO Pack team worked with WordFence over the last few days to identify and patch any possibly similar threats to the one we patched in 2.3.7. The resulting release, 2.3.8, solves the above issue and users are advised to always stay on top of updates. We're very grateful for their help.
As noted in our blog post yesterday, the All in One team takes the security of our plugin and our users' properties seriously and felt it due diligence to commission full audits from Sucuri and Mark Jaquith (who, along with Wordfence are the three most trusted names in WordPress security). We expect there will be future updates in the near future as we adopt recommendations on hardening the codebase.

Teodor Miroslav Muntean July 13, 2016 at 10:14 am

My website was hacked few days ago and I found some suspect notes in this plugin so I have removed it, and it took me one day to repair back the website. I am not that the All in one seo pack was the cause of this, but as I said some strange notes inside it and suspicious files were found. I am sorry I did not keep those notes to be able to show you.
Thanks for the article!

Nigel July 14, 2016 at 1:04 am

Hi Teodor.

How did you identify the suspect notes you refer to please?

I have an issue with a client's site that Bing is saying has Malware but they don't say anything else about what the malware is.

Pulling my hair our trying to remove the penalty as Bing will not show any results in it's search engines wheres the site was previously at #3

Don't think it's AIO at all but just trying to eliminate everything at present.


Debbie N. July 13, 2016 at 10:27 am

Will deactivating the all in one plugin help until there's an update?

mark July 13, 2016 at 11:07 am

Hi Debbie,

There are updates for all public security issues we've announced available now. Instead of deactivating, you should upgrade to the versions we've recommended.


Benna Strober July 13, 2016 at 11:15 am

Hi. I updated the plugin but I am still getting constant emails saying,

"The BPS Hidden Plugin Folders|Files (HPF) Cron has detected a hidden or empty plugin folder or a non-standard WP file or altered file in the /plugins/ folder. To view exact details of what was detected, log into your website and check the Hidden Plugin Folders|Files (HPF) Dashboard Alert."

Is there a way to stop them from coming?

mark July 13, 2016 at 11:44 am

Is that bulletproof security or some other plugin giving you that alert? I'd contact their support and ask them about it.

Marcelo Pedra July 13, 2016 at 11:42 am

Update to version 2.3.8 will patch BOTH vulnerabilities, right? Or it only fix the vuln posted yesterday?

mark July 13, 2016 at 11:43 am

It includes both fixes.

Hal July 13, 2016 at 11:45 am

Thanks for the heads up! I just updated all my sites.

Nigel July 14, 2016 at 12:14 am

Hi All.

Really confused on version numbers mentioned in this thread which states that the latest version is 2.3.8.

My version for AIO Pro is 2.4.8 with no update option. Following screen grab from the plugins list:-

All In One SEO Pack Pro
Documentation | Support Forum | SEO Settings | Deactivate

Out-of-the-box SEO for your WordPress blog. Features like XML Sitemaps, SEO for custom post types, SEO for blogs or business sites, SEO for ecommerce sites, and much more. Almost 30 million downloads since 2007.
Version 2.4.8 | By Michael Torbert | Visit plugin site

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates