Versions of All In One SEO Pack older than 2.3.7 are vulnerable to a serious cross-site scripting vulnerability that could allow an attacker to take over a WordPress site. All In One SEO Pack users should immediately update the plugin to the most recent version, which contains a patch to remove the vulnerability.

All In One SEO Pack is among the most popular WordPress plugins, with over a million active installations. The plugin includes numerous features for enhancing a WordPress site’s search engine optimization and security.

The vulnerability, first reported by David Vaartjes, is a persistent cross-site scripting vulnerability. Cross-site scripting vulnerabilities are among the most common security problems on the web. They occur when an attacker finds a way to inject arbitrary JavaScript code onto a website. Because JavaScript on a page is implicitly trusted to access data associated with that page, including authentication cookies, the injected code can be used to send sensitive information to servers under the control of the attacker.

While every developer knows that user input should be sanitized and encoded such that it can’t be executed if it’s displayed on an HTML page, it is challenging to block every potential path by which that might happen, which is why XSS vulnerabilities are so common.

In this case, the vulnerability is associated with All In One SEO Pack’s Bot Blocker functionality. Bot Blocker is responsible for filtering requests from a predetermined list of bots, programs that access a site for reasons that may not be compatible with the wishes of the site owners. The undesirable bots are detected based on the user agent string or referrer data and sent 404 page rather than the page they requested. Part of the Bot Blocker’s functionality is to record blocked requests for later review by the site’s owners.

Unfortunately, the data contained in those fields was not properly sanitized, so code embedded within the user agent or referrer headers is output in an executable state within the admin interface. If an admin user opens the page listing the requests, their browser will execute the injected code, potentially sending the admin user’s authentication cookie and other sensitive data to the attacker. If that happens, the attacker is in a position to take over the site.

The Bot Blocker functionality is not activated by default, and if you have not activated it, your site is not vulnerable to the attack, however, we recommend that WordPress users update to the most recent version of the plugin anyway.