The All In One SEO WordPress plugin or AIOSEO is among the most comprehensive SEO plugins used by millions of users to improve their website search rankings. However, the United States National Vulnerability Database (NVD) recently discovered two vulnerabilities in this plugin that can compromise the data of the users. The NVD also published an advisory on its official website to inform users about these vulnerabilities.
As per the advisory, the All In One SEO plugin is vulnerable to 2 Cross-site scripting (XSS) attacks. At present, these vulnerabilities affect all versions of the plugin up to and inclusive of version 4.2.9. The AIOSEO plugin currently has more than 3 million active users.
What Exactly Are Cross-Site Scripting Attacks?
Cross-site scripting or XSS attacks involve an attacker injecting malicious scripts into a user’s browser or website. If successful, these attacks allow the attackers to impersonate the user and gain access to their site information. In some cases, it may also result in a complete website takeover.
While there are multiple types of cross-site scripting attacks, the two most common types are as follows:
● Reflected Cross-Site Scripting: This type of cross-site scripting attack involves sending a malicious script to the user. Once the user clicks on it, it takes them to a vulnerable site that subsequently reflects back the attack to the user’s browser or website.
● Stored Cross-Site Scripting: In this type of cross-site scripting attack, the malicious script is stored on the vulnerable site itself. The attackers use image upload forms, contact forms, or any other form of input to lure users into making a submission. Hackers are able to exploit this vulnerability when there is a lack of sufficient security checks for blocking such inputs.
The Vulnerabilities Affecting The AIOSEO Plugin
Both the vulnerabilities identified in the All In One SEO WordPress plugin are of the stored cross-site scripting type. Usually, such vulnerabilities are assigned a number to make it easier to keep track of their status. The two vulnerabilities affecting the AIOSEO plugin are as follows.
CVE-2023-0585
This vulnerability is a result of insufficient input sanitization. In other words, there is a lack of sufficient filtering to block hackers from uploading malicious scripts, which can become troublesome for Fort Walton Beach personal injury attorneys and others who use this service. At present, this vulnerability has been assigned a threat level of 4.4 out of ten, which can be interpreted as a medium-level threat. To launch an attack in this case, the hacker needs to first acquire administrator-level privileges of website access.
The National Vulnerability Database (NVD) describes this vulnerability as follows: “The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
CVE-2023-0586
While this vulnerability is similar to the first one, the major difference here is that the attacker can launch an attack as long as they acquire contributor-level privileges of website access. While this is also a medium-level threat, it has been assigned a score of 6.4 out of ten.
The National Vulnerability Database (NVD) describes this vulnerability as follows: “The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
The Solution
The best course of action for all users of the plugin is to install the necessary updates. It is recommended that users install the AIOSEO plugin version 4.3.0, which contains the security fix against these two vulnerabilities.