Aug 15th, 2016
A new vulnerability in the All in One SEO Pack WordPress plugin has been discovered. Users of the popular All In One SEO Pack plugin are advised to update to the most recent version as soon as possible.
A flaw in versions older than 2.3.7 could leave sites vulnerable to a cross-site scripting attack that would
allow malicious third-parties to take control.
When the feature blocks a malicious bot, it displays the HTTP request sent by the bot in the WordPress site’s dashboard. Because the request is not sanitized, a maliciously crafted request could include code, which, when the dashboard is loaded by an administrator, would send sensitive data, including authentication cookies, to the attacker.
Mitigating the risk of the attack is mandatory in order to prevent code injections.
Customers using this plugin are advised to contact us for steps on how to solve this issue.
If you are not a customer subscribed under our Server Management plan and would like to have this vulnerability patched please purchase a 1x Hour of Support plan.