WordPress users should update their plugins to protect themselves from a serious flaw in the popular ‘All in One SEO Pack’.
The SEO Pack is designed to optimise sites to appear in search results, and has been downloaded almost 19 million times. The vulnerability allowed hackers to launch privelage excalation and cross sit scripting attacks at users running older versions, below 2.1.6. Affected sites could have their search rankings kept down and malicious code embedded into pages.
The flaw was discovered by a security analyst who has warned that sites who have open registration or authors and non admin users logging into to wp-admin then they are at risk. He also warned that ” this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel.” As a result of this, attackers could inject any code and change passwords to retain access later.
Thousands of phishing attacks are launched from unsecure WordPress blogs every month. Many of the blogs are vulnerable to password attacks due to the “predictable location of the administrative interface and the still widespread use of the default ‘admin’ username.
