Wordfence’s Threat Intelligence crew has identified a vulnerability in a WordPress plugin installed on more than two million websites identified as All In 1 Search engine marketing Pack.
If exploited, the flaw could allow for authenticated people with contributor amount obtain or higher to inject malicious scripts which are executed when a victim accesses the wp-admin panel’s ‘all posts’ site.
After exploring this medium severity security difficulty, Wordfence attained out to the plugin’s workforce and All In A single Search engine optimization Pack been given a patch to fix the problem just a couple of times afterwards.
Customers of the plugin should update to the hottest variation of All In A single Web optimization Pack (3.6.2) immediately to avoid slipping sufferer to any potential attacks that try out to exploit the now patched vulnerability.
All In A person Website positioning Pack
All in 1 Web optimization Pack is a WordPress plugin that presents a number of Web optimization characteristics to enable a site’s articles rank bigger on Google and other look for engines.
As portion of the plugin’s functionality, it lets users with the potential to build or edit posts to set an Website positioning title and description directly from a put up as they are doing the job on it. This feature is readily available to all users with the means to generate posts this kind of as contributors, authors and editors.
As the Search engine marketing title and Web optimization description for each and every post are displayed on the ‘all posts’ web page, any values included to these fields would also be displayed there in an unsanitized structure which would trigger any saved scripts in these fields to be executed any time a person accessed this webpage.
In model 3.6.2 of All in One particular Website positioning Pack, the plugin’s developer has included sanitization to all of the Search engine marketing post meta values so that any code injected into them would be unable to come to be executable scripts.