If you use the WordPress All In One SEO Pack plugin and have not updated it recently, do it right now. Two potentially serious weaknesses have been discovered.
The bad news is these are potentially very serious security holes that could allow a hacker to take control of some aspects of you site or inject cross-site scripting (XSS) attacks on users. The good news is that a security auditing firm found the weaknesses and the author of the All In One SEO Pack plugin has patched the holes in version 2.1.6.
Now that the word is out about the exploits, hackers will undoubtedly be looking for ways to take advantage of the problems in unpatched versions of the plugin.
The problems were discovered during a routine security audit performed by Securi>. One big problem with the older versions of the plugin is that the All In One SEO Pack plugin publishes the version number within the web page HTML code, which makes it very easy for hackers to identify unprotected web sites.
The first exploit could allow hackers to change the HTML title tags and meta data on a site, which could be used to trash a websites rankings with search engines.
The second is cross-site scripting, which is typically malicious forms of JavaScript code that extracts information from users, or alters the way a website appears.
All In One SEO Pack and WordPress SEO by Yoast are the two most popular SEO plugins. While the former shows a greater number of downloads, it has also been available much longer. Over the past few years a lot of WordPress users have migrated to Yoast’s plugin because it is more comprehensive with many features not found on All In One SEO. Both have historically been rock solid plugins.