Security researchers have discovered susceptibilities in a widely used WordPress extension that leaves sites disposed to remote hijacking.

WordPress-powered sites that use the All in One SEO Pack should promptly install an update that fixes the privilege escalation vulnerabilities, Administrators can upgrade by logging in to the admin panel, selecting plug-ins, and choosing the All in One title. The just-released version that fixes the vulnerabilities is 2.1.6.

The worst of the attacks made possible by the bugs can allow attackers to inject malicious code into the admin control panel, Malicious hackers could then change an admin's password or insert backdoor code into the underlying websites. People could also remotely tamper with a site's search engine optimization settings. To exploit the bugs, attackers need only an unprivileged account on the site, such as one for posting reader comments. In some cases, the privilege escalation and cross-site scripting bugs in All in One SEO are combined with another vulnerability

"If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk," the researcher wrote. "If you have open registration, you are at risk, so you have to update the plugin now."

The bug report and fix comes a week after a researcher disclosed an unrelated weakness in WordPress.com-hosted sites that in many cases made them susceptible to hijacking. Developers say the unsafe browser cookie flaw will be fixed in the next scheduled WordPress release. All in One SEO has been downloaded more than 18.5 million times

Comment