Security vulnerabilities in SEO plugin leave millions of WordPress users at risk

Whilst WordPress might be one of the most popular global content management systems, it is also one of the most vulnerable and targeted CMS platforms. The reason for this is simple: its popularity and reach make it extremely attractive to cyber-breach by attackers determined to exploit and compromise flaws in both outdated software and vulnerable plugins. The security vulnerabilities are compounded because many WordPress-powered websites use dozens of plugins from third parties. What these websites often fail to realise is that these plugins need to be updated as regularly as software on any other computer to protect against security vulnerabilities. This is particularly important if the plugins have been sloppily coded by developers, as there is the potential risk that affected websites could become compromised, and could put the computers of other visiting users at risk.

How serious is the problem? Well, in March 2014 the Netcraft internet services company published statistics which showed that nearly 12,000 WordPress websites were compromised in February alone, with attackers conducting phishing campaigns against targeted users of high-profile websites, principally PayPal (25%) and Apple customers (17%). Netcraft interestingly found that not only were these WordPress installations vulnerable to phishing campaigns; nearly 27 million websites running WordPress were also vulnerable to brute-force password guessing attacks because of a lack of proper and robust security settings. In the same month security firm, Sucuri, also discovered a large DDoS indirect amplification vector attack. The botnet comprised 162,000 unsuspecting WordPress -powered websites used to run DDoS attacks.

The latest worrying news about WordPress vulnerabilities was discovered by Sucuri. The security firm’s researchers found a potentially dangerous security hole in the plugin’s code that could leave the door open to malicious attackers. The All in One SEO Pack plugin is a very popular choice for webmasters who wish to boost their WordPress-powered site’s position in search engine rankings. The plugin has proved so popular that over 18 million people have already downloaded it for use on their websites.

In a blog post Sucuri explained that privilege escalation vulnerabilities allow an attacker to add and modify the WordPress website’s Meta information, impacting negatively on SEO. The potential risk only applies to self-hosted WordPress sites, not sites hosted on Plugins cannot be run on, so that managed platform is not affected. Securi advised:

“While auditing [the] code, we found two security flaws that allow an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.”

“In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword Meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.”

The researchers also confirmed that the cross-site scripting vulnerability can be exploited by malicious hackers to execute malicious JavaScript code on an administrator’s dashboard:

“While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any Javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.”

All in One SEO Pack plugin team has issued a security advisory to more than 15 million websites running the software informing users of the presence of two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw. They have also provided an emergency security update that patches all the flaws – All in One SEO Pack 2.1.6.

If you are looking for further information and advice on website vulnerability, penetration testing, security reviews, security compliance and web security solutions, contact Krypsys. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].