Are you using the WordPress ‘All in One SEO Pack’ on your WordPress website? Then you will need to update your ‘All In One SEO Pack‘ immediatly. The 2.1.5 version of the All In One Pack contains a vulnerability which allows unwanted privilege escalation. This means, that hackers will be able to grant themselves ‘Administrator’ permissions on the WordPress website.
The ‘All In One SEO Pack’ publishers have published a update. The update, patches the vulnerability which allows unwanted privilege escalation.
The publishers explain that the hackers would be able to use cross-site scripting attacks to grant themselves administration permissions.
Security patch for vulnerabilities which might trigger privilege escalation and cross site scripting issues on WordPress administration panel reported by Sucuri (props to Marc at Sucuri)
Content Management Systems are used by publishers as this allows them to manage their content in a easy way. The Content Management Systems like WordPress, allow various plugins to be installed. These plugins often contain vulnerabilities which allow hackers to abuse WordPress websites. It is important to keep your environment up-to-date and to keep track of the latest security news.
Nulzsec reports on the ‘All in One SEO pack’ vulnerability:
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.