The internet security firm, Sucuri, recently announced that they found a security risk in the WordPress plugin All-in-One SEO Pack. If you are using this plugin on your site(s), then you need to update the plugin right away.
The flaw found allows a hacker to perform a privilege escalation and do cross site scripting (XSS) attacks. Okay, so for most of you that won’t mean much, except you need to upgrade! If you want to understand this a little better than here you go.
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.
If that isn’t enough, there is also another aspect of the old plugin version that allows hackers to inject malicious JavaScript code onto the admin control panel that would execute when that page is loaded. That means nasty stuff could happen like changing the admin password or inserting backdoor code that would allow them to put more code into your website’s files so they could carry out more nasty stuff later.
Keep in mind that with all security issues, keeping things updated is a large part of the battle. Make sure your All-in-One SEO pack is updated to version 2.1.6. While nothing is 100% secure, by being proactive you can reduce the risk that your site is exposed.
If you are not able to keep up with updates and backups of your WordPress site, give us a call at 503-683-1664 or use our contact form to get in touch. We can help you.