New Vulnerability in All in One SEO Pack Plugin 2.3.7 and earlier

Yesterday morning Panagiotis Vagenas, a Wordfence Security Researcher, discovered a new vulnerability in the All in One SEO Pack WordPress plugin. This is in addition to another serious vulnerability we wrote about yesterday morning in the same plugin.

As detailed yesterday, All in One SEO Pack is an extremely popular plugin with over 1,000,000 active installs. Both free and Premium Wordfence users with the firewall enabled had partial protection at the time we discovered this new vulnerability. A firewall rule that provides complete protection was added to the Threat Defense Feed yesterday morning.

The author released version 2.3.8 which fixes the vulnerability yesterday afternoon.

This unauthenticated stored XSS vulnerability allows an attacker to inject javascript code into a page that requires admin privileges to view. When a site admin visits the page, the malicious code that runs can perform administrative actions such as modifying existing user privileges, creating a new admin user or stealing admin session tokens.

This exploit only works if the user has enabled the sitemap module in the plugin. We have no way of estimating the percentage of All in One SEO Pack users who are vulnerable, but given the widespread use of the plugin and the importance of sitemaps for SEO, it is likely that 100s of thousands of sites are impacted.

CVSS Severity: 8.8 (High)

What to do

Premium Wordfence customers that have the firewall enabled are already completely protected by the firewall rule we added yesterday morning. Free Wordfence users running the All in One SEO Pack plugin should upgrade to version 2.3.8 immediately, and will receive a rule to completely protect against this vulnerability on August 11th.

In addition we encourage you to share this post with the broader WordPress community to create awareness of this serious security issue.

Did you enjoy this post? Share it!


  • No new updates have been released, atleast its not showing up in wordpress plugin page.

    • Please see:

  • The All in One SEO Pack team worked with WordFence over the last few days to identify and patch any possibly similar threats to the one we patched in 2.3.7. The resulting release, 2.3.8, solves the above issue and users are advised to always stay on top of updates. We're very grateful for their help.
    As noted in our blog post yesterday, the All in One team takes the security of our plugin and our users' properties seriously and felt it due diligence to commission full audits from Sucuri and Mark Jaquith (who, along with Wordfence are the three most trusted names in WordPress security). We expect there will be future updates in the near future as we adopt recommendations on hardening the codebase.

  • My website was hacked few days ago and I found some suspect notes in this plugin so I have removed it, and it took me one day to repair back the website. I am not that the All in one seo pack was the cause of this, but as I said some strange notes inside it and suspicious files were found. I am sorry I did not keep those notes to be able to show you.
    Thanks for the article!

    • Hi Teodor.

      How did you identify the suspect notes you refer to please?

      I have an issue with a client's site that Bing is saying has Malware but they don't say anything else about what the malware is.

      Pulling my hair our trying to remove the penalty as Bing will not show any results in it's search engines wheres the site was previously at #3

      Don't think it's AIO at all but just trying to eliminate everything at present.


  • Will deactivating the all in one plugin help until there's an update?

    • Hi Debbie,

      There are updates for all public security issues we've announced available now. Instead of deactivating, you should upgrade to the versions we've recommended.


  • Hi. I updated the plugin but I am still getting constant emails saying,

    "The BPS Hidden Plugin Folders|Files (HPF) Cron has detected a hidden or empty plugin folder or a non-standard WP file or altered file in the /plugins/ folder. To view exact details of what was detected, log into your website and check the Hidden Plugin Folders|Files (HPF) Dashboard Alert."

    Is there a way to stop them from coming?

    • Is that bulletproof security or some other plugin giving you that alert? I'd contact their support and ask them about it.

  • Update to version 2.3.8 will patch BOTH vulnerabilities, right? Or it only fix the vuln posted yesterday?

    • It includes both fixes.

  • Thanks for the heads up! I just updated all my sites.

  • Hi All.

    Really confused on version numbers mentioned in this thread which states that the latest version is 2.3.8.

    My version for AIO Pro is 2.4.8 with no update option. Following screen grab from the plugins list:-

    All In One SEO Pack Pro
    Documentation | Support Forum | SEO Settings | Deactivate

    Out-of-the-box SEO for your WordPress blog. Features like XML Sitemaps, SEO for custom post types, SEO for blogs or business sites, SEO for ecommerce sites, and much more. Almost 30 million downloads since 2007.
    Version 2.4.8 | By Michael Torbert | Visit plugin site