Older versions of the All in One SEO Pack WordPress plugin contains a vulnerability that allows an attacker to store malicious code in the website’s admin panel that could potentially help him take over the website.

At the time of writing, when accessing the WordPress Plugin directory’s Popular section, the first plugin listed above everyone else is All in One SEO Pack by Semper Fi Web Design.

The plugin helps webmasters improve their site’s SEO (Search Engine Optimization) features via an easy to use wall of on/off settings.


Issue found in the Bot Blocker feature

One of those settings is called Bot Blocker and allows users to decide what search engine crawlers to block from accessing their site. This setting is off by default, so there’s no reason for all plugin users to worry.

Where webmasters have turned this feature on, they probably know that it also logs all rejected bots and the time when they visit their sites.

According to security researcher David Vaartjes, the plugin logs these visits without sanitizing the text included in the User Agent strings and Referrer headers sections.

Vulnerability exploitation is trivial

An attacker only has to change one of these two features by appending malicious code at the end, for a bot that he knows is blocked on the site.

This (malicious) code gets stored in the WordPress site’s database and automatically executed when the admin visits the log page.

Packing JavaScript code that steals admin user cookies is trivial for any low-to-mid skilled attacker. The cookies can be used to hijack admin login sessions or to carry out other CSRF attacks.

Webmasters using this plugin should know that this issue is fixed in the plugin’s latest version, which at the time of writing is 2.3.7. This attack was only tested in All in One SEO Pack version 2.3.6.1, which doesn’t exclude the fact that older versions might be vulnerable as well. In this case, updating to the latest version is advised.

Exploit proof of concept

Exploit proof of concept

This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
Recommended article from FiveFilters.org: Most Labour MPs in the UK Are Revolting.

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲