14 DAY TRIAL // Older versions of the All in One SEO Pack WordPress plugin contain a vulnerability that allows an attacker to store malicious code in the website's admin panel that could potentially help them take over the website.
At the time of writing, when accessing the WordPress Plugin directory's Popular section, the first plugin listed above everyone else is All in One SEO Pack by Semper Fi Web Design.
The plugin helps webmasters improve their site's SEO (Search Engine Optimization) features via an easy-to-use wall of on/off settings.
Issue found in the Bot Blocker feature
One of those settings is called Bot Blocker and allows users to decide what search engine crawlers to block from accessing their site. This setting is off by default, so there's no reason for all plugin users to worry.
Where webmasters have turned this feature on, they probably know that it also logs all rejected bots and the time when they visit their sites.
According to security researcher David Vaartjes, the plugin logs these visits without sanitizing the text included in the User Agent strings and Referrer headers sections.
Vulnerability exploitation is trivial
An attacker only has to change one of these two features by appending malicious code at the end, for a bot that they know is blocked on the site.
This (malicious) code gets stored in the WordPress site's database and automatically executed when the admin visits the log page.
Packing JavaScript code that steals admin user cookies is trivial for any low-to-mid skilled attacker. The cookies can be used to hijack admin login sessions or to carry out other CSRF attacks.
Webmasters using this plugin should know that this issue is fixed in the plugin's latest version, which at the time of writing is 2.3.7. This attack was only tested in All in One SEO Pack version 2.3.6.1, which doesn't exclude the fact that older versions might be vulnerable as well. In this case, updating to the latest version is advised.
