Vulnerabilities have been discovered in the popular All In One SEO Pack WordPress plugin that could allow privilege escalation and cross-site scripting attacks. The plugin has been patched and users should ensure that they immediately update to the most recent version or there is a real risk of their WordPress site being compromised.

In a recent post on the Sucuri Blog security researcher Marc-Alexandre Montpas revealed the discovery of a pair of critical vulnerabilities in the plugin, which is used for search engine optimization on a large number of WordPress sites. The free version of the All In One SEO plugin has over 18 million downloads and provides features like meta tag generation, XML sitemap support, and robots.txt control.

According to Montpas, two exploitable vulnerabilities were discovered. The first allows logged-in users without admin privileges — an author or ordinary user, for example – to adjust parameters used by the plugin to change title tags, meta description tags, and keyword meta tags. By changing these parameters, a malicious user could cause a site’s search engine optimization to be degraded — a serious problem for sites that depend on Google for referrals.

The second vulnerability is more serious, and when combined with the first allows attackers to inject JavaScript code into a WordPress site’s administrator control panel — a cross-site scripting vulnerability. Cross-site scripting attacks use weaknesses in input sanitization and other vulnerabilities to place JavaScript onto a page, which will then be executed by a browser. Because the browser trusts the site, it will trust the injected code, which potentially allows an attacker to change the admin password, harvest user credentials, or insert a backdoor into the site’s files.

All WordPress sites running older versions of the All In One SEO plugin, potentially millions of sites, may be vulnerable.

Mitigating the risks is simple: update the plugin to the most recent version, or deactivate and remove the plugin. Alternative SEO plugins include Yoast SEO.

If you navigate to the plugin page of your WordPress site, assuming you have not already updated, you will be presented with the option to update All In One SEO Pack. If you are not given the option of updating, it’s likely that your site is already running the most recent version. To make sure, you can force WordPress to run an update by selecting the plugin, choosing update from the drop-down menu at the top of the plugin list, and clicking apply, as shown in the image below.