Pricing
Written by Editorial Team on July 22, 2020

Critical Vulnerability Found In All In One SEO Pack WordPress Plugin

On 16th July 2020, we read a post by Wordfence on the critical vulnerability found in the All In One SEO Pack WordPress plugin (original article can be found here) and we are shocked. We went into a panic mode not because we use AIOSEO, but we know a lot of our maintenance clients do and we wanted to warn them (we are more of a SEOPress-type of fanboys and girls).

Thankfully a new patch was updated by the AIOSEO team and we recommend you to perform a 'check for update' if you had not done so.

This is considered a medium severity security issue that, as with all XSS vulnerabilities, can result in complete site takeover and other severe consequences. We strongly recommend immediately updating to the latest version of this plugin. At the time of writing, that is version 3.6.2 of All in One SEO Pack.

How the WordPress security exploit was detected?

All In One SEO Pack is a plugin that provides several SEO enhancing features to help rank a WordPress site’s content higher on search engines. As part of its functionality, it allows users that have the ability to create or edit posts to set an SEO title and SEO description directly from a post as it is being edited. This makes it easier for post creators to improve the SEO of posts as they are writing them. This feature is available to all users that can create posts, such as contributors, authors, and editors.

Unfortunately, the SEO meta data for posts, including the SEO title and SEO description fields, had no input sanitization allowing lower-level users like contributors and authors the ability to inject HTML and malicious JavaScript into those fields.

/**
 * Saves the data of our metabox settings for a post.
 *
 * @since   ?
 * @since   3.4.0   Added support for priority/frequency + minor refactoring.
 *
 * @param   int     $id     The ID of the post.
 * @return  bool            Returns false if there is no POST data.
 */
function save_post_data( $id ) {
    $awmp_edit = null;
    $nonce     = null;
 
    if ( empty( $_POST ) ) {
        return false;
    }
 
    if ( isset( $_POST['aiosp_edit'] ) ) {
        $awmp_edit = $_POST['aiosp_edit'];
    }
 
    if ( isset( $_POST['nonce-aioseop-edit'] ) ) {
        $nonce = $_POST['nonce-aioseop-edit'];
    }
 
    if ( isset( $awmp_edit ) && ! empty( $awmp_edit ) && wp_verify_nonce( $nonce, 'edit-aioseop-nonce' ) ) {
 
        $optlist = array(
            'keywords',
            'description',
            'title',
            'custom_link',
            'sitemap_exclude',
            'disable',
            'disable_analytics',
            'noindex',
            'nofollow',
            'sitemap_priority',
            'sitemap_frequency',
        );
 
        if ( empty( $this->options['aiosp_can'] ) ) {
            unset( $optlist['custom_link'] );
        }
 
        if ( ! AIOSEOPPRO ) {
            $optlist = array_diff( $optlist, array( 'sitemap_priority', 'sitemap_frequency' ) );
        }
 
        foreach ( $optlist as $optionName ) {
            $value = isset( $_POST[ "aiosp_$optionName" ] ) ? $_POST[ "aiosp_$optionName" ] : '';
            update_post_meta( $id, "_aioseop_$optionName", $value );
        }
    }
}

The SEO title and SEO description for each post are always displayed on the ‘all posts’ page as they appear in the far right column for easier quick editing access. Therefore, any values added to the SEO title and SEO description fields would be displayed here in an unsanitized format, causing saved JavaScript in these fields to be executed when any user accessed the ‘all posts’ page.

Any JavaScript injected in the SEO description field would also be executed when visiting the page directly if a closing tag was inserted by an attacker before adding their own script. For example, it could look like </script><script>alert(0)</script>. This was due to the fact that the tag would close out the SEO description’s original script tag and inject an additional script directly after.

Due to the JavaScript being executed whenever a user accessed the ‘all posts’ page, this vulnerability would be a prime target for attackers that are able to gain access to an account that allows them to post content. Since Contributors must submit all posts for review by an Administrator or Editor, a malicious Contributor could be confident that a higher privileged user would access the ‘all posts’ area to review any pending posts. If the malicious JavaScript was executed in an Administrator’s browser, it could be used to inject backdoors or add new administrative users and take over a site.

Fortunately, in the patched version, the plugin developer has added sanitization to all of the SEO post meta values so any HTML characters supplied will be escaped and unable to become executable scripts.

~A quick video by Wordfence team on the WordPress exploit

Summary

We recommend you to update all your plugins especially All In One SEO Pack to ensure that you are not 'opening doors' to unwanted hackers or code injections.

Article written by Editorial Team

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

crossmenu