{"id":5659,"date":"2014-06-02T12:49:38","date_gmt":"2014-06-02T16:49:38","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5659"},"modified":"2014-06-02T12:49:38","modified_gmt":"2014-06-02T16:49:38","slug":"flaws-in-popular-seo-plug-in-put-wordpress-websites-at-risk","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/02\/flaws-in-popular-seo-plug-in-put-wordpress-websites-at-risk\/","title":{"rendered":"Flaws in popular SEO plug-in put WordPress websites at risk"},"content":{"rendered":"<section class=\"page\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/i0.wp.com\/core5.staticworld.net\/images\/article\/2013\/04\/hacker_internet_web_attack-100033459-large.jpg?resize=580%2C461\" alt=\"\" width=\"580\" height=\"461\" \/>Many WordPress websites could be at risk of compromise if their administrators don\u2019t upgrade a popular search engine optimization (SEO) plug-in to a newly released version that fixes serious vulnerabilities.<\/p>\n<p>Researchers from Web security firm Sucuri found two flaws in a plug-in called \u201cAll in One SEO Pack\u201d that potentially allow attackers with access to non-administrative WordPress accounts to elevate their privileges and inject malicious code into the administration panel.<\/p>\n<p>\u201cIf your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk,\u201d the Sucuri researchers said Saturday in a <a href=\"http:\/\/blog.sucuri.net\/2014\/05\/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html\" target=\"_blank\">blog post<\/a>. \u201cIf you have open registration, you are at risk, so you have to update the plugin now.\u201d<\/p>\n<p>The \u201cAll in One SEO Pack\u201d plug-in automatically optimizes WordPress content for more efficient indexing by search engine crawlers to achieve a better ranking in search results. According to <a href=\"https:\/\/wordpress.org\/plugins\/all-in-one-seo-pack\/\" target=\"_blank\">statistics from the official WordPress add-ons repository<\/a>, the plug-in has been downloaded over 18.5 million times to date.<\/p>\n<p>One of the two flaws discovered by Sucuri can be exploited by a regular user, like an author or a subscriber, to modify a post\u2019s SEO title, description and keyword meta tags created by the plug-in. If used maliciously, this could result in damage to a site\u2019s search result ranking.<\/p>\n<p>However, the vulnerability can also be combined with a second flaw to inject malicious JavaScript code on the administrator control panel that would execute when the page is loaded.<\/p>\n<p>This means an attacker could potentially do things like change the admin account\u2019s password or insert backdoor code into the website files to conduct other malicious activities at a later time, the Sucuri researchers said.<\/p>\n<p>WordPress site administrators are advised to upgrade the \u201cAll in One SEO Pack\u201d plug-in to version 2.1.6 which was released Sunday in the WordPress add-ons repository. An update can also be initiated from the plug-in\u2019s administration panel.<\/p>\n<p>WordPress sites have been a popular target for attackers over the years and vulnerabilities in the platform\u2019s third-party components such as plug-ins or themes have been exploited in the past.<\/p>\n<p>A critical vulnerability found in 2011 in an image resize script called TimThumb that was bundled in many WordPress themes was still being targeted in attacks over a year later.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2357740\/flaws-in-popular-seo-plugin-put-wordpress-websites-at-risk.html\" target=\"_blank\">PCWorld<\/a><\/p>\n<\/section>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many WordPress websites could be at risk of compromise if their administrators don\u2019t upgrade a popular search engine optimization (SEO) [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7,9],"tags":[341,1243],"class_list":["post-5659","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exploit","tag-wordpress"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1th","jetpack-related-posts":[{"id":9309,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/03\/18\/this-week-in-tech-658-the-matador-defense\/","url_meta":{"origin":5659,"position":0},"title":"This Week in Tech 658: The Matador Defense","author":"NCCT","date":"March 18, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ZLvZn_xEil0 Controversial RyzenFall AMD flaws revealed. Leo gives up Facebook for good over Cambridge Analytica scandal. Broadcom gives up its Qualcomm takeover. Apple announces an education-themed event on March 27th. Farewell Adrian Lamo. Theranos officially charged with fraud. Bitcoin mining will drain the world's energy.","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ZLvZn_xEil0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9305,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/02\/26\/this-week-in-tech-655-banana-is-phone\/","url_meta":{"origin":5659,"position":1},"title":"This Week in Tech 655: Banana Is Phone","author":"NCCT","date":"February 26, 2018","format":false,"excerpt":"https:\/\/youtu.be\/3Ndfvf28O5o Samsung announces 2 new phones as Mobile World Congress kicks off in Barcelona. iCloud keys are stored in China. All 150 new emojis for 2018 revealed. Nokia's newest phone is a nod to The Matrix. GDPR and H.R. 1865 and their implications. Intel knew about flaws in chips but\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/3Ndfvf28O5o\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9450,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/20\/are-passwords-immortal-security-now-690\/","url_meta":{"origin":5659,"position":2},"title":"Are Passwords Immortal? &#8211; Security Now 690","author":"NCCT","date":"November 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/mOSTtkK7vy0 Pwn2Own, the Future of Passwords. -- All the action at last week's Pwn2Own Mobile hacking contest -- The final word on processor mis-design in the Meltdown\/Spectre era -- A workable solution for unsupported Intel firmware upgrades for hostile environments -- A forthcoming Firefox breach alert feature -- The expected\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/mOSTtkK7vy0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9518,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/02\/10\/between-the-buns-this-week-in-tech-705\/","url_meta":{"origin":5659,"position":3},"title":"Between the Buns &#8211; This Week in Tech 705","author":"NCCT","date":"February 10, 2019","format":false,"excerpt":"https:\/\/youtu.be\/KZ52Am221no Improving government websites, blocking the big five, Spotify\u2019s podcast move, and more. -- Alphabet Earnings: Google's Cost Per Click -- Cutting out Google, Apple, Amazon, Facebook, and Microsoft -- The US to Ban Huawei 5GTech -- Germany Outlaws Facebook's Business Model -- What if Google Just Doesn't Pay Its\u2026","rel":"","context":"In &quot;Apple&quot;","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/KZ52Am221no\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9393,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/08\/19\/this-week-in-tech-680-hacky-hack-hack\/","url_meta":{"origin":5659,"position":4},"title":"This Week in Tech 680: Hacky Hack Hack","author":"NCCT","date":"August 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/7ClMz3MkTJk This Week in Tech Elon's Twitter addiction, $1200 iPhone XS+, Movie Pass Fail, Pai's lie, and more. --Leave Elon alone! Tesla tumbles after Musk laments his \"most difficult and painful year.\" --Google employees revolt over China rumors; town hall meeting shut down due to \"kerfuffle\" tweets. --Apple thinks that\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/7ClMz3MkTJk\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9297,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/02\/11\/this-week-in-tech-653-x-stands-for-nothing\/","url_meta":{"origin":5659,"position":5},"title":"This Week in Tech 653: X Stands for Nothing","author":"NCCT","date":"February 11, 2018","format":false,"excerpt":"https:\/\/youtu.be\/9vdjtG9ozeQ HomePod should have been delayed longer. Elon Musk's rollercoaster week: Falcon Heavy sends a Tesla to Mars just as Tesla has its worst quarter ever. iPhone boot code leaked online. Chrome will shame insecure websites. YouTube suspends Logan Paul for generally being a horrible human being. Rethinking Facebook and\u2026","rel":"","context":"In &quot;Technology&quot;","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/9vdjtG9ozeQ\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5659"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5659\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}