Critical Vulnerability Found In All In One SEO Pack WordPress Plugin

On 16th July 2020, we read a post by Wordfence on the critical vulnerability found in the All In One SEO Pack WordPress plugin (original article can be found here) and we are shocked. We went into a panic mode not because we use AIOSEO, but we know a lot of our maintenance clients do and we wanted to warn them (we are more of a SEOPress-type of fanboys and girls).

Thankfully a new patch was updated by the AIOSEO team and we recommend you to perform a 'check for update' if you had not done so.

This is considered a medium severity security issue that, as with all XSS vulnerabilities, can result in complete site takeover and other severe consequences. We strongly recommend immediately updating to the latest version of this plugin. At the time of writing, that is version 3.6.2 of All in One SEO Pack.

How the WordPress security exploit was detected?

All In One SEO Pack is a plugin that provides several SEO enhancing features to help rank a WordPress site’s content higher on search engines. As part of its functionality, it allows users that have the ability to create or edit posts to set an SEO title and SEO description directly from a post as it is being edited. This makes it easier for post creators to improve the SEO of posts as they are writing them. This feature is available to all users that can create posts, such as contributors, authors, and editors.

Unfortunately, the SEO meta data for posts, including the SEO title and SEO description fields, had no input sanitization allowing lower-level users like contributors and authors the ability to inject HTML and malicious JavaScript into those fields.

 * Saves the data of our metabox settings for a post.
 * @since   ?
 * @since   3.4.0   Added support for priority/frequency + minor refactoring.
 * @param   int     $id     The ID of the post.
 * @return  bool            Returns false if there is no POST data.
function save_post_data( $id ) {
    $awmp_edit = null;
    $nonce     = null;
    if ( empty( $_POST ) ) {
        return false;
    if ( isset( $_POST['aiosp_edit'] ) ) {
        $awmp_edit = $_POST['aiosp_edit'];
    if ( isset( $_POST['nonce-aioseop-edit'] ) ) {
        $nonce = $_POST['nonce-aioseop-edit'];
    if ( isset( $awmp_edit ) && ! empty( $awmp_edit ) && wp_verify_nonce( $nonce, 'edit-aioseop-nonce' ) ) {
        $optlist = array(
        if ( empty( $this->options['aiosp_can'] ) ) {
            unset( $optlist['custom_link'] );
        if ( ! AIOSEOPPRO ) {
            $optlist = array_diff( $optlist, array( 'sitemap_priority', 'sitemap_frequency' ) );
        foreach ( $optlist as $optionName ) {
            $value = isset( $_POST[ "aiosp_$optionName" ] ) ? $_POST[ "aiosp_$optionName" ] : '';
            update_post_meta( $id, "_aioseop_$optionName", $value );

The SEO title and SEO description for each post are always displayed on the ‘all posts’ page as they appear in the far right column for easier quick editing access. Therefore, any values added to the SEO title and SEO description fields would be displayed here in an unsanitized format, causing saved JavaScript in these fields to be executed when any user accessed the ‘all posts’ page.

Any JavaScript injected in the SEO description field would also be executed when visiting the page directly if a closing tag was inserted by an attacker before adding their own script. For example, it could look like </script><script>alert(0)</script>. This was due to the fact that the tag would close out the SEO description’s original script tag and inject an additional script directly after.

Due to the JavaScript being executed whenever a user accessed the ‘all posts’ page, this vulnerability would be a prime target for attackers that are able to gain access to an account that allows them to post content. Since Contributors must submit all posts for review by an Administrator or Editor, a malicious Contributor could be confident that a higher privileged user would access the ‘all posts’ area to review any pending posts. If the malicious JavaScript was executed in an Administrator’s browser, it could be used to inject backdoors or add new administrative users and take over a site.

Fortunately, in the patched version, the plugin developer has added sanitization to all of the SEO post meta values so any HTML characters supplied will be escaped and unable to become executable scripts.

~A quick video by Wordfence team on the WordPress exploit


We recommend you to update all your plugins especially All In One SEO Pack to ensure that you are not 'opening doors' to unwanted hackers or code injections.

How To Revamp Your WordPress Site During The Pandemic?

The pandemic (Covid-19) had changed how businesses work and perform especially in the online space. Revamping your website during the COVID-19 pandemic should include the very basics and some very specific actions to better position you to serve your clients and target audiences. And, of course, keep your business thriving. What do we suggest? We’re glad you asked!

Improve the Online User Experience

These are basic things that you should do periodically, regardless of a pandemic or business as usual. Internet use in 2020 simply demands these things to be competitive with every other website. If you haven’t made these upgrades yet, now is the time.

So, what does UX means when it comes to revamping your WordPress site? Here's the list:

  • Publish high-quality content (over 1,500 words)
  • Create a secured website (HTTPS)
  • Make your WordPress mobile-friendly (including Voice Search)
  • Check all links for functionality (hint: broken links)
  • Master your on-oage optimization
  • Earn relevant and authoritative backlinks
  • Optimize your page speed

Focus in having a intuitive UX design to improve the visitor's experience
~Focus in having a intuitive UX design to improve the visitor's experience

Focus on Improving Social Proof

Social proof, a term coined by Robert Cialdini in his 1984 book, Influence, is also known as informational social influence. It describes a psychological and social phenomenon wherein people copy the actions of others in an attempt to undertake behavior in a given situation (source: Wikipedia).

Social proof is testimony from actual users about your products, services, and overall customer service efforts. Good social proof strengthens your business reputation and makes it more likely that others will choose your business over your competitors. During this time as you make needed website changes, reach out to your clients, and ask for a review of your services to them or the products they have purchased.

~Social proofs are great ways to increase your trust and authority level
~Social proofs are great ways to increase your trust and authority level

Not sure where to start? Don't worry! Google My Business, Yelp! and written testimonials are great ways to start and you should implement them on your WordPress site.

Google My Business – If you haven’t already, claim your Google My Business page, personalize it, add some photos, and start directing users to it for testimonials.

Yelp! – Connects people with great local businesses. Claim your Yelp! Business Page, personalize it and share it with your clients when you ask for their reviews.

Testimonials – If you have a means for users to share reviews directly on your website, this can be a great way to gather testimonials. If not, ask for written comments when users visit your Google and Yelp! Business Pages.

Did you know?

Thrive Ovation is an excellent set-and-forget testimonial plugin for WordPress websites that is super easy to integrate and install. No coding skills required!

Offer Enticing Lead Magnets to Increase Traffic to Areas that Need Growth

Offering something of value for contact information is a great way to swap value for value, like an old-fashioned trading post. In order to really maximize their potential, lead magnets should:

  • Solve a real problem
  • Focus on one thing
  • Be easily understood and used
  • Offer high value to users
  • Be instantly accessible
  • Demonstrate your unique value proposition or expertise
Generate more potential leads using lead magnet
~Generate more potential leads using lead magnet

The best lead magnets are simply too good to pass up for sharing a simple name and email address. They directly impact a genuine pain point of your target audience. This generates interest in the free offering and gathers you a new lead for your mailing list that is already interested in what services or products you provide.

Okay, we get it. You are running a business and you certainly doesn't have the time to figure out about lead generation magnets for your WordPress site.

OptinMonster is what we use and recommend. It is easy to use and it comes with many features, including ready-made templates that you can (almost) instantly use to create powerful lead magnets.

Let's take a quick moment to watch OptinMonster in action.

~OptinMonster is a great conversion optimization software for business websites

Lead Magnet (Finally) Done Right

OptinMonster is a powerful lead generation software that converts abandoning visitors into subscribers with our dynamic marketing tools and Exit Intent® technology.

Working on revamping your site

There are many ways you can revamp your WordPress site better service and profitability. Do you have more tips and strategies that you use especially during this pandemic?

Share your ideas in the comments section!

Scalability In Hosting: The How's And Why's That You Need To Know

What does scalability in hosting means to you? In the general term, scalability represents the ability for you to scale in web hosting. In most cases, you are upgrading to a higher hosting plan in order for you to cope up with the growing traffic. It could also means that you are upgrading to higher plans for better features.

Either way, scalability is an important factor when it comes to making the right web hosting choice.

8 reasons why scalability is important for your online business

Scalability In Web Hosting
~Scalability in web hosting
  1. Growing website visitors count. When the number of visitors increases, you probably need a better website hosting to avoid any overcharges in traffic.
  2. Processing power. The higher the web traffic, the more processing power you would need. In this case, the processing power is the ability for your web hosting server to perform tasks. The higher the processing power, the faster your website loads.
  3. Security features. There are also instances where you need to scale your hosting plan because you require additional security features. Some web hosting companies provide better and more comprehensive security features on higher hosting plans.
  4. Additional domains. If you are constantly flipping domains or adding domain ownership to your account, you might find yourself hitting the domain quota real fast. In this case, upgrading to a higher hosting plan will give you a larger domain quota.
  5. Hosting features. Upgrading to different hosting plans also gives you more hosting benefits (as a whole). For example, higher hosting plans usually come with more CPU, RAM and dedicated environment which will help you in scaling your online business.
  6. eCommerce store. Thinking of starting an online store? If you are using WordPress and WooCommerce, you probably need WooCommerce hosting to avoid resource hogging. Plus, having a bigger hosting plans means that you have more space for images and higher concurrent visitors' actions.
  7. Moving host. Web hosting scaling doesn't always happen within the same web host. You could be moving from one host to another for better pricing or performance.
  8. Hosting limitations. This happens more often than you can imagine. At times, some hosts will limit certain actions to ensure that the server is working at its peak. This is very common in the shared hosting space. Scaling your hosting plan will allow you to perform the tasks that you wan without any or much limitation.

Critical Vulnerability Found In The Official MailerLite Sign Up Forms Plugin For WordPress

Update: The Official MailerLite Sign Up Forms plugin for WordPress had been updated to version 1.4.5 on 26th May 2020 which is said to patch the vulnerability. While the new version is out, it is important to update the plugin if you have it installed on your site. We also hope that sufficient notifications are delivered to the affected users to have them update the plugin as soon as possible.

A new and critical vulnerability has been discovered in the Official MailerLite Sign Up Forms plugin for WordPress (for versions 1.4.4 and below). The vulnerability allows an unauthorized attacker to perform an SQL injection and gain access to the administrative panel of the site. Also, the plugin is vulnerable to CSRF attacks.

Here are the details of the vulnerability:

  • Plugins with version below 1.4.4 are affected
  • Affected file: include/mailerlite-admin.php.

We recommend you to start scanning your sites immediately, rather than waiting for an automatic scan to run or to wait for an updated version of the plugin.

Want to learn more about this WordPress vulnerabilities? Click here for more details.

Why should you care about this WordPress vulnerability?

This vulnerability will lead to massive WordPress security issues for your site. As a reminder, hackers will be able to create a backdoor to your WordPress site and doing tasks with administrative roles.

If you are using the Official MailerLite Sign Up Forms plugin, we recommend you to update it immediately.

Vulnerability Found In SiteOrigin WordPress Page Builder Plugin

On May 12, 2020, a critical vulnerability was found in the famous WordPress page builder plugin, SiteOrigin. This vulnerability threatens over a million websites that are using SiteOrigin.

According to researchers at WordPress, both security bugs can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). They “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser,” according to Wordfence researchers, in a Monday posting.

They assigned both flaws a severity rating of 8.8 out of 10, but no CVEs have yet been assigned.

What Is This WordPress Vulnerability All About?

If exploited, both bugs could be used to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site.

The first issue lies in the built-in live editor within the plugin – this feature lets users update content and drag/drop widgets while gaining a real-time view of the changes on the given website.

“In order to show the modifications in real-time through the live editor, the plugin registers the is_live_editor() function to check if a user is in the live editor,” explained Wordfence researchers. “If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to ‘true’ and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content.”

SiteOrigin vulnerability and threat
SiteOrigin vulnerability threatens over 1 million website users

This “live-editor-preview.php” rendering file thus updates the page preview with changes made, in real-time.

The problem is that there is no nonce protection to verify that an attempt to render content in the live editor came from a legitimate source, according to Wordfence.

“Some of the available widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious JavaScript into a rendered live page,” the researchers wrote. “If a site administrator was tricked into accessing a crafted live preview page, any malicious JavaScript included as part of the Custom HTML widget could be executed in the browser.”

The data associated with a live preview was never stored in the database, resulting in a reflected XSS flaw rather than stored XSS flaw, in conjunction with the CSRF flaw.

A second flaw is also a CRSF to XSS issue, this time in the action_builder_content function of the plugin, which is tied to the AJAX action wp_ajax_so_panels_builder_content.

“This function’s purpose was to transmit content submitted as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor,” the researchers said. “This function did have a permissions check to verify that a user had the capability to edit posts for the given post_id. However, there was no nonce protection to verify the source of a request, causing the CSRF flaw.”

In testing exploits, the researchers found that the “Text” widget could be used to inject malicious JavaScript due to the ability to edit content in a “text” mode rather than a “visual” mode.

“This allowed potentially malicious JavaScript to be sent unfiltered,” according to Wordfence. “Due to the widget data being echoed, any malicious code that was a part of the text widgets data could then be executed as part of a combined CSRF to XSS attack in a victim’s browser.”

How To Know If Your WordPress Site Is Affected?

This WordPress vulnerability affects the Page Builder by SiteOrigin version 2.10.15 and below; to avoid full site takeover, admins should upgrade their plugins to version 2.10.16.

It should also be noted that an attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.

Wordfence thanked the developer "for an extremely prompt response and for releasing a patch very quickly."

The latest version of the plugin, v. 2.10.16, has resolved the issues. At the time of writing, 66.6% of all users have updated their builds. It is recommended that users make sure they are up-to-date. 

5 Things You Didn't Know About WordPress Care Packages (That Will Save You $1,000's)

WordPress care packages are great assets for large WordPress websites. Instead of spending an allocated sum of money each month to hire website developers, you can easily pay a smaller figure or a pay-as-you-go basis to WordPress agencies to maintain your website.

1. The Size of Your Website

Small Websites vs Large Websites
A large website will benefit more with WordPress care packages

Are you managing a large WordPress site with multiple inventories or posts? If the answer is "yes", you need a WordPress care package if you do not have the time for monthly maintenance.

Typically, small WordPress sites are easy to maintain but large ones (such as eCommerce on WordPress) is a tedious job and best to give it to the professionals.

2. Save More Time By Hiring Others

Save Time With WordPress Care Packages
Spend the time doing what you do best is more productive than learning how to do it

Maintaining a WordPress site is not an easy task. Seriously.

To give you an idea, here's what you can expect when it comes to maintaining a WordPress site, either on a daily, weekly or monthly basis.

TasksComplexityTime Required
Updating WordPress themes and pluginsEasy< 15 minutes
Server monitoringModerate~ 30 minutes
Clean and optimize databaseModerate~ 15 minutes
Checking malwareModerate~ 15 minutes
Resolving incompatibilityTough> 30 minutes
Performing WordPress migrationTough> 3 hours

The above is just a simple list of tasks that you need to do to maintain a WordPress site. And if you are running a large site or eCommerce site, there are even more things you need to perform which will ultimately take up a lot of time.

Doing it yourself (DIY) isn't saving you more money if you don't have the needed expertise. Your time should be allocated to do things that generate you revenue or traffic instead.
Reginald Chan, Founder of WP Maven

3. Hiring Full Time vs Freelance / Pay As You Go

Pay As You Go Model

Hiring a full time WordPress developer is an excellent choice when you are making over 6 figures each month with your WordPress site. But if you are not achieving such, going the 'pay-as-you-go' route is a better option.

For example, our monthly WordPress care package pricing comes with a generous 5 hours of work per month for only $50. This means that you save at least $300 per month on WordPress maintenance works.

4. Website Downtime Is Bad For Reputation And Sales

WordPress Care Packages Solve Website Down Issue
WordPress care packages fixes all your WordPress downtime issues

When was the last time your WordPress site was not accessible to the public? Let us guess.

You reached out to the web hosting support and was told that they couldn't do much because it was 'your mistake'? Yes, we hear this one too many times.

Cheap WordPress hosting solutions often provide subpar or zero support when you really need it. After all, what you pay is exactly what you will get.

Editorial Team @ WP Maven

Every downtime your website experiences, the higher chances you are in losing potential sales and revenue. Of course, it is just fine if you are making $5 or $10 per hour. Imagine losing $100 or $500 per hour.

That's a whole different story.

5. Better Be Safe Than Sorry

WordPress Maintenance Makes Healthy WordPress Sites
Keep your WordPress site healthy with WordPress care packages

Subscribing to a WordPress care package could mean spending $50 a month and keeping your WordPress site safe (that's if you are subscribing to our monthly plan). WordPress is a popular CMS but it is also not bulletproof especially with vulnerabilities and security threats.

For example, WordPress care packages would easily mean that vulnerabilities on Divi or critical vulnerabilities on Elementor will be fixed immediately instead of leaving them in the open and risking your WordPress security.

Summary: Are WordPress Care Packages Right For Me?

We hope that this blog post will give you an insight on what WordPress care packages are and how they can impact you as a WordPress site owner.

As contrary to many, WordPress care packages are not extremely expensive and they certainly come handy during the times of need. Learn more about WordPress care packages here.

Critical Zero-Day Vulnerability In Elementor Page Builder Pro Plugin

We hate to break this to you, but a new critical zero-day vulnerability was found in the famous Elementor Page Builder Pro plugin (source). The vulnerability allows an attacker to upload an arbitrary file, which could lead to remote code execution.

Apart from that, this new vulnerability is actively exploited and Element Pro users are urged to update their Elementor Pro plugin immediately. At this point of writing, Elementor Pro plugin had been updated to version 2.9.4 which is free from the exploit.

Here are some information about the vulnerability in Elementor Page Builder Pro plugin:

Threats found on your website may leads to SEO results degradation in Search Engine Results Page (SERP), blacklist or other sanctions. Therefore, it is extremely important to update your Elementor Pro plugin right now.

WordPress 5.4 Will Add Lazy-Loading To All Images

What Is Lazy Loading
What is lazy loading images in WordPress?

News flash. WordPress announced that WordPress 5.4 may feature image lazy-loading by default. This feature will enable the “loading” HTML attribute on all IMG elements. This means that WordPress publishers will no longer need to use JavaScript or third party plugins for lazy-loading their images.

But, what is lazy load anyway?

The lazy-loading HTML attribute tells a browser to either wait before downloading an image or to download it right away. There is no JavaScript need to accomplish this.


Lazy load or lazy loading is a term used by WordPress specialists in displaying images only when the images reach the website visitor's viewport. By default, all images on the page will load simultaneously when the page is loaded and this leads to a slow WordPress site.

By loading images at a different time, it helps to speed up the loading speed and make WordPress faster.

If you are geeky enough and want to know more about lazy-loading images, take a read at this. There are three kinds of lazy-loading attributes but only two that really matter:

  1. Lazy
  2. Eager

Lazy, which will be enabled in WordPress 5.4 by default, means to wait until the user's browser viewport is within a certain distance before downloading the image. This behaviour will speed up the users experience on WordPress sites.

On the other hand, the “eager” attribute tells the browser to immediately download the image.

Want to speed up your WordPress site?

We use WP Rocket (we highly recommend it) and here's how we configure it properly

WordPress 5.4 Release Date

At this point of time, WordPress 5.4 is said to release on March 31, 2020. It is important to take note that the date is subject to change depending on how ready the release is. Based on previous statistics, WordPress has been very good about meeting their deadlines.

Official WordPress Announcement

“The implementation seeks to enable lazy-loading images by default, providing the loading attribute with value lazy on the following img tags:

Images in post content
Images in post excerpts
Images in comments
Images in text widget content
Individual images rendered via wp_get_attachment_image()
Avatar images rendered via get_avatar()

Note that loading=”lazy” will only be added if the respective tag does not yet include a loading attribute. In other words, to prevent an image from being lazy-loaded, it is recommended to specify loading=”eager”.”

What do you think?

Here's what we think. The implementation of lazy-loading on WordPress shows how important it is to have a fast WordPress site. We recommend you to read this article on how to make your WordPress site faster.

As usual, tell us what you think in the comments below!

Critical Security Update For Oxygen Builder

A security flaw is found in Oxygen Builder latest version
A security flaw is found in Oxygen Builder latest version

On Wednesday, January 15th, a security vulnerability in Oxygen’s code was disclosed to us privately by Sam Thomas at Pentest Ltd.

The developers at Oxygen started investing the disclosed vulnerability and while creating a security patch update, they encountered an additional related vulnerability that was not initially reported to us.

Until date, these vulnerabilities have not been exploited in the wild and therefore, Oxygen users would have some time to update Oxygen Builder to the latest version.

Oxygen 3.1.1 is a security patch specifically for these vulnerabilities and contains no other changes. We are not releasing a changelog or any more details until Oxygen users have had sufficient opportunity to update their sites.

We recommend all Oxygen users to update your Oxygen sites to version 3.1.1 immediately. Here's how you can do that easily:

Automatically Update Oxygen Builder Plugin


Check The License Keys

Go to Oxygen » Settings » License and make sure your license key is entered. Once your key is entered (and even if it was already present), click “Submit” and ensure you see the “valid” response next to the input box. This is an important step to ensure that you are able to update to the latest Oxygen Builder plugin.


Get The Latest Version

Head over to Dashboard » Updates in the WordPress admin panel and, if the Oxygen update isn’t already visible in the plugin update section, click “Check Again” until the update appears. By default, you don't have to request a check again as it is automated.


Updating Oxygen Builder

Once you are prompted with the upgrade, tick the box next to Oxygen in the plugin update section and click “Update Plugins”.



Here's the last step. Head over to the Plugins page in the WordPress admin panel and verify that Oxygen’s version number is 3.1.1.

Manually Update Oxygen Builder Plugin


Login To Oxygen Backend

Go to Oxygen Builder backend and click “Download Oxygen”.


Download Latest Oxygen Builder

In the list of purchases, find your Oxygen purchase and click “View Details and Downloads”.


Download The Relevant Files

Under the “Products” heading, find the download link for Oxygen 3.1.1 and download the zip file (if you use Safari, please switch to Chrome or Firefox to download the file to avoid the file being unzipped automatically).


Login to WP Admin

Log into your WordPress site and go to the Plugins page in the WordPress admin panel.


Disable Old Oxygen Builder

Find Oxygen and click “Deactivate”, then “Delete”.


Install The Latest Oxygen Builder

At the top of the Plugins page, click “Add New”, and then “Upload Plugin”.


Upload Oxygen Builder

Click “Choose File” and select the Oxygen 3.1.1 zip file you just downloaded.


Activate Oxygen Builder

Once the plugin is finished installing, make sure to activate it.

Clear WordPress Cache After Installation

Lastly, remember to clear your WordPress cache to ensure that all old files are removed and a new cache is generated for your site. Read this guide on how to clear WordPress cache if you need any assistance.

What Is The Cost Of Having A Fast WordPress Site?