Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin

From: Summer of Pwnage <lists () securify nl>
Date: Sun, 10 Jul 2016 08:46:21 +0200
------------------------------------------------------------------------
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Bot Blocker
functionality of the All in One SEO Pack WordPress Plugin (1+ million
active installs). This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the All in One SEO Pack WordPress
Plugin version 2.3.6.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in version 2.3.7 of the plugin.

Free version https://wordpress.org/plugins/all-in-one-seo-pack/
Pro version https://semperplugins.com/all-in-one-seo-pack-pro-version/

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
Previous By Date Next
Previous By Thread Next

Current thread: