Developers Patch XSS Hole in All in One SEO Pack WordPress Plugin

Developers have patched a vulnerability in the All in One SEO Pack WordPress plugin that allows for persistent cross-site scripting (XSS).

Security researcher David Vaartjes explains the vulnerability affects version of All in One SEO Pack, a SEO tool which is reportedly the most downloaded plugin for WordPress:

“A stored Cross-Site Scripting vulnerability exists in the Bot Blocker functionality of the All in One SEO Pack WordPress Plugin (1+ million active installs). Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed User Agent or Referrer header.”

The Bot Blocker detects bots based upon the User Agent or Referrer header. When the “Track Blocked Bots” setting is enabled, the functionality blocks a request if either of those two headers contains one of the pre-configured list of bot names. It then logs the request and displays it on a HTML page inside of the administration panel.

There’s just one problem: Bot Blocker version doesn’t implement proper sanitization or output encoding.

As a result, an attacker could change either the User Agent or Referrer header and append malicious code to it. That malicious code will execute every time a user visits the HTML page inside the administration panel.

Depending on the code, an attacker could steal admin user cookies, hijack admin login sessions, or carry out other cross-site request forgery (CSRF) attacks.

Semper Fi Web Design, the developer of All in One SEO Pack, has released version 2.3.7 of their plugin that patches this XSS vulnerability. Users with “Track Blocked Bots” enabled are especially urged to upgrade as soon as possible.

An updated version of All in One SEO Pack is available here.

Users can view a proof-of-concept demonstration of the vulnerability in a blog post published by Vaartjes here.