Secure Version of All In One SEO Pack Plugin For Wordpress Now Available


After the discovery of a security flaw in the hugley popular 'All in One SEO Pack' plugin for WordPress, a secure version has now been made and is available for download.

Huge Popularity

As an IT Support Company in Hertfordshire we know how popular the WordPress platform is among our customers and the plug-ins are a popular, helpful, and cost saving aspect of it. In fact WordPress is the most popular CRM style website platform, used by 26% or all websites and the All in One SEO Pack” has been downloaded by 30 million users and is estimated to be in use now in a million websites. This is what makes the matter of a a flaw in the code of that plugin such a serious matter.

Problem With The Plugin

A 'Bot Blocker’ component was used in the plug-in to detect and block spam bots based on their user agent and referrer header values, and it was in this element that the vulnerability was discovered.

Exploiting Code Flaw

As an IT Support Company in Hertfordshire we are all too aware of the rise in cyber crime activity, particulalrly over the last year. The Bot Blocker component in the plugin had a flaw in the code which meant that it could be exploited remotely by sending HTTP requests with specifically crafted headers to the website. Hackers then were able to put malicious Javascript into these headers that could be logged inside the tracked bot panel page, and then executed to steal an admin's session token.

Totally anonymous users therefore could relatively easily get into a WordPress website that had the plug-in installed and store an XSS (JavaScript) payload in the dashboard without the website owner / administrator knowing. Finding the admin details is of course vital to hackers / cyber criminals being able to take over a website.

The seriousness of flaws in some aspects of WordPress has been highlighted several times in recent years such as when 26,000 WordPress websites with the Pingback function enabled were used as part of a botnet to launch DDoS attacks on other websites back in February this year.

What Does This Mean For Your Business?

The discovery of this latest flaw means that if your business website is a WordPress website that has the All in One SEO Pack installed you will need to make sure that you upgrade to this to the latest 2.3.7. version as soon as possible (after Friday), or you can make sure that you don't have the Track Blocked Bots setting enabled in the website.

Microsoft Registered PartnerMicrosoft Registered Partner hp Business Partnerhp Business Partner DELL Registered PartnerDELL Registered Partner excel Cisco Partner RegisteredCisco Partner Registered ZyXEL Solution Partner 2014ZyXEL Solution Partner 2014 AVG Silver ResellerAVG Silver Reseller Paxton Access Certified InstallerPaxton Access Certified Installer