According to WordPress’s founder Matt Mullenweg, his service now powers 18.9% of the Web, WordPress rules a large chunk of the Internet. To ensure any one of the 46m websites get to the top of search engines, a wildly popular WordPress SEO plugin called “All in One SEO Pack” has been installed 18.5 million times. Now it seems that not only you will get all the SEO that the plugin should deliver, it throws in an additional risk that allows others illegal access to the site.
The vulnerability was only discovered last week and it could allow hackers to access non-administrative WordPress accounts, elevate their privileges, and inject malicious code into the admin panel. Since then, the plugin developers has released a new version of “All in One SEO” Pack to patch it up. So if you are one of the many who got the plugin, you might want to update now.
This slip up could affect WordPress sites with subscribers, authors and non-admin users logging in to wp-admin, as well as sites with open registration. This means you should be doing this immediately as it could have far-reaching effects otherwise.
According to Marc-Alexandre Montpas, security analyst at Sucuri, these security flaws allow an attacker to conduct privilege escalation and cross site scripting (XSS) attacks. A logged-in user, without possessing any kind of administrative privileges, could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. This could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.
Since WordPress is the most popular website platform around, often used by SMEs and individuals, plugin security issues can disrupt businesses and schedules. With hosted WordPress, hosting providers usually automatically update plugins and keep track of security issues to keep the websites safe. The first lesson here is that staying on top of plugin updates is extremely important in maintaining website security. This is not the first time, WordPress sites have been targeted. Last year, attackers targeted WordPress websites with weak admin credentials.
In fact, at this point, the second lesson is that updating the plugin will prevent future non-approved meddling but the damage may already been done. While this may sound harsh and that hindsight is 20/20, one way to prevent this from happening is to have prior backup that is free from such bugs. With a ‘clean’ copy that is stored prior to the incursion of the “All-In-One-SEO” plugin, you can revert back to it and be at ease. So besides updating the plugin and hoping that the scare didn’t affect is to ensure you have WordPress backup copies available moving forward.