The popular All In One SEO Plugin for WordPress has released an update addressing two security issues discovered by Sucuri during a security audit. According to Sucuri, one of the vulnerabilities can be used to escalate privileges while the other deals with Cross Site Scripting attacks.
A logged-in user who doesn’t have administrative capabilities is able to modify certain parameters of the plugin such as the post’s SEO title, description, and meta tags. These changes could cause long-term negative effects to search engine rankings.
Unfortunately, this bug can also be used to execute malicious code on an administrator’s control panel. Sucuri says “this means that an attacker could potentially inject any JavaScript code and do things like change the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.”
Sucuri recommends upgrading the plugin as soon as possible.
I think this is the same big that was reported on the Tavern a few years ago.