The Threat Intelligence team of WordFence discovered a cross-site script vulnerability in All In One SEO plugin. The plugin is installed on over 2 million sites; hence, it puts the two million users at risk.
The All In One SEO vulnerability allows the registered users with contributor level access or above to inject a script that gets executed when someone opens ‘all posts’ page via admin account.
WordFence found the vulnerability on July 10, 2020, and they reached out to the plugin’s team on the same day. Semper Plugin has released the patched version of the All in One SEO plugin on July 15, 2020.
Severity of the All In One SEO Vulnerability
This vulnerability is of medium-level severity. And it can be used to take over the site entirely.
This is a Cross-Site Scripting Vulnerability (XSS). In it, the hackers use an input interface to add the malicious scripts, and if the admin goes to the page with the script, it gets executed on the load.
So, the pages or part of the site where the user can upload content such as images, code, content, etc., need to be “sanitized” so no one can upload malicious scripts at the place of the content.
Usually, the entry points to the site are comments or forms for the users. But sometimes the vulnerability can also affect the area that is only accessible by the registered users.
However, this is a Medium Level Severity because only the registered users with the posting privileges can utilize this vulnerability.
How it affected All In One SEO Plugin
All In One SEO is a popular SEO plugin for WordPress. It provides various SEO features to help the users in creating content that ranks higher in search engines.
One of the functions of the SEO plugin is to enable the user to set the SEO title and SEO description. The function allows the writers to use the keywords for SEO. All the users that can create or post content on the site can access this feature.
However, WordFence discovered that the SEO metadata for posts fields such as SEO title and SEO description boxes have no input sanitization. So, the contributors, authors, or editors can easily inject HTML or JS into these fields if the site uses the All in One SEO plugin.
The SEO title and SEO description the user enters here is displayed on the ‘all posts’ page for quick editing.
Anything, code, or script added to this field would be present at the “all posts” page too, and in unsanitized format. This means the script will run once the page loads.
Hackers can use this All In One SEO vulnerability to gain access to the admin account. Although they will need a registered user account, so the method cannot be used for a mass attack.
It is the job of Administrators and Editors to review all the posts submitted by the contributors and authors. So it is sure that the Administrator or the person with a higher level of access will open the ‘All Posts’ page. Then the scripts will run in the admin’s browser, and it may create a backdoor to add new administrative users.
But the patched version has added sanitization to all the SEO post metadata. Now, this vulnerability may not be work for hackers.
Though the All In One SEO Vulnerability has been solved, you must take precautions against such hacking attempts.
Follow the Principle of Minimal Privilege
The Principle of Minimal Privilege means that any user should only have the bare minimum privileges necessary to perform the tasks.
If the user needs to add the products to the shop, it does not require the store’s financial records. Similarly, if the person is responsible for the site’s security, then the person does not need access to the email marketing software.
While running a WordPress site, many functions are performed by different people. Like an author writes content, the designer has the responsibility to design the pages, while an SEO would like to optimize it.
So, you have to give various permissions to people. For that, you have to understand WordPress Roles and Capabilities.
Audit the User’s Account
You should regularly audit the user’s account on your WordPress site.
Is there an account that is not part of the site now? You can downgrade their level, or you can delete the user account entirely if they are not necessary.
Leaving an unused account on the WordPress site can work as a door for hackers. So either keep the account active or delete them.
Verify the User
If you need to outsource some of your WordPress website tasks, and for that, you need to add higher-level users such as contributors, authors, and editors, then you must verify that the user is trusted. You should check the personal references, and establish the security protocols before adding the person to your site.
Moreover, never offer your credentials. Instead, make sure to make a separate account for the new user. And then you can manage the role of that user.
Finally, it would help if you used a strong password for all the user’s accounts, irrespective of their access.
There are many WordPress login security plugins that you can use.
In this post, I explained how All In One SEO Vulnerability had affected many users.
If you are with ServerGuy, then you don’t have to worry. Our site monitoring tools track the sites and alert the technical team if they find anything unusual.
Furthermore, the patch has been released, and you should update your plugin to version 3.6.2.