Wordfence has published the small print of two saved XSS vulnerabilities the corporate responsibly disclosed to the builders of the All In One SEO plugin in January 2023. The vulnerabilities probably impacted greater than 3 million customers on variations 4.2.9 and earlier.
One vulnerability, which acquired a 6.4 (Medium) CVSS rating, Wordfence attributes to inadequate enter sanitization and output escaping. Researchers discovered that this “makes it doable for authenticated attackers with Contributor-level entry or larger to inject arbitrary internet scripts in pages that can execute at any time when a person accesses an injected web page.”
The second vulnerability was given a 4.4 (Medium) CVSS rating and requires an authenticated attacker to have Administrator-level privileges. Wordfence outlined how attackers may exploit these vulnerabilities:
It is a seemingly situation to happen as posts written by contributors should be reviewed and moderated previous to publication.
All In One search engine marketing has patched each vulnerabilities in model 4.3.0 however thus far solely 25.5% of the plugins 3+ million person base has up to date to the most recent model, leaving roughly 3/4 of the plugin’s customers nonetheless susceptible.
The plugin’s changelog for model 4.3.0 features a transient, obscure notice on the safety repair included: “Up to date: Extra safety hardening.” There have been two extra releases of the plugin because the vulnerabilities have been patched in 4.3.0.