There is a serious stored cross site scripting (XSS) vulnerability in All in One SEO Pack Plugin versions 18.104.22.168 and older. This plugin is installed on over 1 million active websites and is extremely popular and widely used.
The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site.
This vulnerability is only exploitable on sites that have the “Track Blocked Bots” setting enabled. This setting is not enabled by default. We do not have definitive data to indicate how many users of the plugin have enabled this feature. However, this plugin is extremely popular:
- All in One SEO Pack has been downloaded over 28 million times (this includes upgrades)
- It has been around for over 9 years
- It is one of the most downloaded WordPress plugins. Contrary to its claim of being the most downloaded WordPress plugin, Akismet, Yoast SEO and Contact Form 7 have more downloads.
This attack has a CVSS score of 8.8 (High), however due to the extremely wide-spread use of the All in One SEO Pack plugin, we are adding this additional advisory: Wordfence rates this vulnerability as very serious because it is useful to an attacker and widely exploitable.
If as few as 10% of sites have the feature enabled, assuming an install base of 5 million active sites, that creates 500,000 vulnerable sites.
What to do
Wordfence Premium customers are already protected against exploitation of this vulnerability. We released a firewall rule to our premium customers early this morning which blocks this exploit. Our free customers will receive the rule on August 12th.
If you are using the free version of Wordfence or are not using Wordfence at all, you will need to immediately upgrade to All in One SEO Pack Plugin version 2.3.7 which contains the fix for this security issue.
This vulnerability was discovered by David Vaartjes and you can find the full technical details of the vulnerability on his site. Congratulations David, from the Wordfence team, on unearthing this serious issue.
A proof of concept has been published on exploit-db, which means this attack is already in the wild.
All in One SEO Pack is made by Semper Fi Web Design.
This story has received coverage in the past few hours from The Register, WP Tavern, Softpedia.com and is on the IDG News Service which includes CIO.com and PCWorld.
We encourage you to share this post with the larger WordPress community to create awareness of this security issue.