All In One SEO Patches Multiple Stored XSS Vulnerabilities in Version 4.3.0 

Wordfence has published the details of two stored XSS vulnerabilities the company responsibly disclosed to the developers of the All In One SEO plugin in January 2023. The vulnerabilities potentially impacted more than 3 million users on versions 4.2.9 and earlier.

One vulnerability, which received a 6.4 (Medium) CVSS score, Wordfence attributes to insufficient input sanitization and output escaping. Researchers found that this “makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The second vulnerability was given a 4.4 (Medium) CVSS score and requires an authenticated attacker to have Administrator-level privileges. Wordfence outlined how attackers might exploit these vulnerabilities:

Unfortunately, vulnerable versions of this plugin fail to escape submitted site titles, meta descriptions and other elements during post and page creation, and when changing plugin settings. This made it possible for users with access to the post editor, such as contributors, to insert malicious JavaScript into those fields, which would execute in the browser of any authenticated user, such as a site’s administrator, editing such a post or page.

This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.

All In One SEO has patched both vulnerabilities in version 4.3.0 but so far only 25.5% of the plugins 3+ million user base has updated to the latest version, leaving approximately 3/4 of the plugin’s users still vulnerable.

The plugin’s changelog for version 4.3.0 includes a brief, vague note on the security fix included: “Updated: Additional security hardening.” There have been two more releases of the plugin since the vulnerabilities were patched in 4.3.0.

11

11 responses to “All In One SEO Patches Multiple Stored XSS Vulnerabilities in Version 4.3.0 ”

  1. The claim that Wordfence responsibly disclosed these isn’t really true, as they indirectly disclosed in the post that they were selling access to information on one of the vulnerabilities a day before they notified the developer (in the form of a firewall rule). So any hacker willing to pay for their Wordfence Premium service got the information before the developer, which isn’t responsible disclosure and seems problematic from a security provider. Hopefully, you will do a follow up post covering that aspect of this.

    The other vulnerability isn’t really a vulnerability, since the attacker would already need to have access to a WordPress account with the Administrator role, which already normally has the capability to do the equivalent of the vulnerability.

  2. “requires an authenticated attacker to have Administrator-level privileges”
    i.e. It’s not a vulnerability at all.
    No new privileges gained = no vulnerability, by definition.

    • If I understand the issue correctly it was that output wasn’t escaped. That means if the rendered content somehow came from a non-admin user (like a comment on a post), when a non hacker admin logs in and sees that rendered content, it could allow that unescaped output to contain code, which could then use the credentials of the logged in admin without their knowledge. So it likely didn’t need to be a hacker with admin access. That’s typical of unescaped content. I haven’t deeply checked out this issue, but that’s why all output must be escaped.

      • Not all output needs to be escaped, but most should be. Even WordPress doesn’t escape all output.

        Wordfence itself is claiming that the issue being referenced requires an authenticated attacker that has Administrator-level privileges, so the rendered content could not somehow come from a non-admin user. We checked into the claim and found that it does require that level of access.

    • I have received vulnerability reports from WordFence and Patchstack about my plugins in the past that explicitly require an administrator role to exploit, and it irks me. How are these vulnerabilities?

      I think they are creating these reports just to sell their product.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: