Serious Vulnerability in All in One SEO Pack Plugin 2.3.6.1 and earlier

There is a serious stored cross site scripting (XSS) vulnerability in All in One SEO Pack Plugin versions 2.3.6.1 and older. This plugin is installed on over 1 million active websites and is extremely popular and widely used.

The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site.

This vulnerability is only exploitable on sites that have the “Track Blocked Bots” setting enabled. This setting is not enabled by default. We do not have definitive data to indicate how many users of the plugin have enabled this feature. However, this plugin is extremely popular:

All in One SEO Pack has been downloaded over 28 million times (this includes upgrades)
It has been around for over 9 years
It is one of the most downloaded WordPress plugins. Contrary to its claim of being the most downloaded WordPress plugin, Akismet, Yoast SEO and Contact Form 7 have more downloads.

This attack has a CVSS score of 8.8 (High), however due to the extremely wide-spread use of the All in One SEO Pack plugin, we are adding this additional advisory: Wordfence rates this vulnerability as very serious because it is useful to an attacker and widely exploitable.

If as few as 10% of sites have the feature enabled, assuming an install base of 5 million active sites, that creates 500,000 vulnerable sites.

What to do

Wordfence Premium customers are already protected against exploitation of this vulnerability. We released a firewall rule to our premium customers early this morning which blocks this exploit. Our free customers will receive the rule on August 12th.

If you are using the free version of Wordfence or are not using Wordfence at all, you will need to immediately upgrade to All in One SEO Pack Plugin version 2.3.7 which contains the fix for this security issue.

Additional Details

This vulnerability was discovered by David Vaartjes and you can find the full technical details of the vulnerability on his site. Congratulations David, from the Wordfence team, on unearthing this serious issue.

A proof of concept has been published on exploit-db, which means this attack is already in the wild.

All in One SEO Pack is made by Semper Fi Web Design.

This story has received coverage in the past few hours from The Register, WP Tavern, Softpedia.com and is on the IDG News Service which includes CIO.com and PCWorld.

Timeline

July 5th: Blog post drafted by researcher. Unclear when it was published. We’re going by dates in the proof of concept.
July 8th: All in One SEO Pack 2.3.7 with fix released.
July 10th: Published in Bugtraq mailing list
July 11th: Proof of Concept published in Exploit DB.

We encourage you to share this post with the larger WordPress community to create awareness of this security issue.

Comments

9 Comments

Martin Sabel

July 12, 2016
8:09 am

Just had to say "Thanks!" again for your reliable service. How any site owner today can think about operating without WordFence is beyond me. Keep up the great work.
hughankers

July 12, 2016
8:19 am

By sheer coincidence I've only just deleted this plugin from my site due to a weird glitch where it kept changing the title of my site as shown at the top of my browser window to the title of one of my products, so this issue doesn't concern me, but it's good to know that my Premium Wordfence's firewall would have protected me anyway. I still need to install a new SEO plugin, but at least I have a top quality security plugin to protect my site from other vulnerabilities that may appear in other plugins from time to time.

Michael Torbert

July 13, 2016
10:35 am

Hi Hughankers,

We'd be happy to help you figure out the issue. https://wordpress.org/support/plugin/all-in-one-seo-pack It sounds like it could be a settings/configuration issue or conflict with another plugin or theme, but if it's a bug we'd love to fix that too.

Joe Roberts

July 12, 2016
8:41 am

I'm seeing that the Bad Bot Blocker module was introduced in the pro version 2.3.7. Does this vulnerability affect both free and pro versions of the plugin? From what I can tell it only affects pro users who have the module activated and "Track Blocked Bots" set, but would you please confirm?
Joe Roberts

July 12, 2016
8:50 am

Please disregard my previous post. The "Block Bad Bots" module is available to be activated on the free version as well.
Roland

July 13, 2016
12:26 am

It seems the plug-in has been updated (2.3.8), with credits to WordFence.
Theo

July 13, 2016
7:21 am

Updated. Thanks a ton guys, you are AWESOME!
Michael Torbert

July 13, 2016
9:40 am

We want to thank Wordfence for their responsible reporting. As noted above, a release was issued immediately for the above issue (2.3.7) which we believe would only have been able to affect .5% or less of our users. Now we've gone even further- scouring our code base for similar vulnerabilities and issuing an additional release yesterday (2.3.8) which Wordfence has verified. Now we're going all out, and having Wordfence, Sucuri and Mark Jacquith- three of the most trusted names in WordPress security independently audit us for any additional opportunities to harden our codebase. We expect to adopt those recommendations and release additional updates in the near future.
https://semperplugins.com/security-update-for-all-in-one-seo-pack/