All in One SEO Pack WordPress plugin patched an XSS vulnerability that was discovered by Wordfence on 10 July 2020. Any WordPress website with multiple users must update the plugin immediately.
On 10 July 2020, WordFence discovered a security vulnerability in All In One SEO Pack, which is installed on over 2 million sites (according to WordPress.org).
This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.
The security threat could result in “a complete site takeover and other severe consequences”.
According to WordFence, the plugin’s team was immediately alerted of the vulnerability and a patch was released a few days later on 15 July 2020.
The latest Version 3.6.2, released on 15 July 2020, fixed the threat, and the wordings of the changelog pointed towards the fix – “added additional sanitization for security hardening”.
Wordfence Premium added a new firewall rule on 10 July 2020 to protect against exploits targeting this vulnerability. Free Wordfence users should update the plugin as they will get the firewall protection after thirty days, on 9 August 2020.
According to the available information, around 88% of active installations of the plugin were Version 3.5 or lower, and 12% of the installations are 3.6.X. Hence, the latest vulnerability is affecting more than 1.75 million websites.