SecureState Blog

Read SecureState's award winning blog.

Are you running Wordpress? Check now to see if you're running this plugin which has multiple critical vulnerabilities.

Do you or your company run a WordPress site?  If you do, be sure you take a look at the plugins that you have installed and when you last updated them.  On May 31, 2014 serious vulnerabilities were announced for the All in One SEO Pack plugin, which is used by an estimated 15 million site owners for search engine optimization (SEO). Needless to say, with more than 73 million sites running WordPress, this is an urgent issue for site owners to address.


What are the vulnerabilities?

The plugin is vulnerable to two security issues, which were discovered through a code audit conducted by a security company called Sucuri.  The first is a privilege escalation vulnerability where a non-administrative user (contributor, subscriber, etc.) can modify parameters that are used by the plugin.  These actions could alter the search engine results if these parameters are successfully changed.  The second issue can be used in combination with the first for an attacker to conduct aCross-Site Scripting (XSS) attack.  XSS is a vulnerability which can allow malicious JavaScript code to be executed in the user’s web browser, which can allow everything from key logging, unauthorized password changes and unauthorized access to the server (to name a few of the attacks that XSS is capable of).


What do you need to do?

If you have version 2.1.5 or lower of the All In One SEO Pack, you need to update immediately to version 2.1.6.  Updating plugins is very easy with newer versions of WordPress (you’re using the latest version, right?).

First, log in to your WordPress dashboard and click on “Updates”.  You should then see a section for “Plugins”. Select “Update all” or the “All in One SEO Pack” plugin to update to version 2.1.6.


Figure 1. Update Plugins Button in WordPress

How are you Dealing with WordPress and Plugin Updates?

At SecureState, my Attack & Defense team breaks into our clients WordPress sites quite frequently through vulnerable WordPress installations as well as vulnerable plugins.  If we do this all the time, it’s guaranteed that an attacker will do the same to your site if you’re vulnerable.  It’s only a matter of time.  Unfortunately from my experience, blogs or other marketing content usually falls outside the scope of IT and even the scope of security in some cases because blogs commonly fall under the PR or marketing umbrella.  This is even worse for small and medium size businesses that don’t have an IT or Security department. Don’t let your marketing department put you at risk!  Take a proactive approach and find out if your company is using CMS systems like WordPress and ask the question, “When did you last update and when did you update the plugins?’.  If you don’t update your CMS system and plugins, create a process to make sure that your CMS is updated on a proactive, periodic basis. For a small business, this could be as simple as a monthly calendar reminder or for a larger business, as detailed as integrating CMS updates into your Vulnerability Management Program.