Are you running Wordpress? Check now to see if you're running this plugin which has multiple critical vulnerabilities.
Do you or your company run a WordPress site? If you do, be sure you take a look at the plugins that you have installed and when you last updated them. On May 31, 2014 serious vulnerabilities were announced for the All in One SEO Pack plugin, which is used by an estimated 15 million site owners for search engine optimization (SEO). Needless to say, with more than 73 million sites running WordPress, this is an urgent issue for site owners to address.
What are the vulnerabilities?
What do you need to do?
If you have version 2.1.5 or lower of the All In One SEO Pack, you need to update immediately to version 2.1.6. Updating plugins is very easy with newer versions of WordPress (you’re using the latest version, right?).
First, log in to your WordPress dashboard and click on “Updates”. You should then see a section for “Plugins”. Select “Update all” or the “All in One SEO Pack” plugin to update to version 2.1.6.
Figure 1. Update Plugins Button in WordPress
How are you Dealing with WordPress and Plugin Updates?
At SecureState, my Attack & Defense team breaks into our clients WordPress sites quite frequently through vulnerable WordPress installations as well as vulnerable plugins. If we do this all the time, it’s guaranteed that an attacker will do the same to your site if you’re vulnerable. It’s only a matter of time. Unfortunately from my experience, blogs or other marketing content usually falls outside the scope of IT and even the scope of security in some cases because blogs commonly fall under the PR or marketing umbrella. This is even worse for small and medium size businesses that don’t have an IT or Security department. Don’t let your marketing department put you at risk! Take a proactive approach and find out if your company is using CMS systems like WordPress and ask the question, “When did you last update and when did you update the plugins?’. If you don’t update your CMS system and plugins, create a process to make sure that your CMS is updated on a proactive, periodic basis. For a small business, this could be as simple as a monthly calendar reminder or for a larger business, as detailed as integrating CMS updates into your Vulnerability Management Program.