On January 26, 2023, the Wordfence Team responsibly disclosed two vulnerabilities in All In One SEO Pack, a WordPress plugin installed on over 3 Million sites which provides search engine optimization tools designed to help content creators optimize their sites and reach more users.
Both reported issues were Stored Cross-Site Scripting vulnerabilities with one of them requiring Administrator-level privileges (CVE-2023-0585) while the other was accessible to Contributor users and higher (CVE-2023-0586).
On January 25, 2023 the Wordfence team issued a custom firewall rule to address the Contributor+ Cross-Site Scripting vulnerability and released it to our Wordfence Premium, Wordfence Care, and Wordfence Response users. Wordfence Free users received this rule 30 days later. As of February 24, 2023 All Wordfence users are protected against this vulnerability by this rule.
The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator-level access or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.
This vulnerability is a little more unique than the ones we have covered in the past as the vulnerable code is executed as a result of modifying the Domain Object Model (DOM) in the victim’s browser after the page loads. More specifically, in the screenshot above the plugin uses the input in the Post Title field and creates a Snippet Preview on the fly. The malicious code is stored, but does not get executed until this DOM modification takes place. This type of Cross-Site Scripting vulnerability is often referred to as DOM-XSS.
It is important to keep in mind that malicious code may be executed within the context of an administrator’s browser sessions and could be used to generate new malicious user accounts and be utilized for code manipulation among other things. As such, these types of vulnerabilities should be taken seriously even if Contributor-level privileges are required for successful exploitation.
January 25, 2023 – Wordfence releases a firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability.
January 26, 2023 – The Wordfence team responsibly discloses the vulnerabilities to the plugin vendor.
January 27, 2023 – The vendor confirms receipt and begins work on a fix.
February 6, 2023 – Release 4.3.0 addresses both vulnerabilities.
February 24, 2023 – The firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability is released to our Wordfence Free users.
In today’s post, we covered two Cross-Site Scripting vulnerabilities in All In One SEO Pack, a search engine optimization plugin with over 3 Million users. The Wordfence Threat Intelligence team issued a firewall rule providing protection against the Contributor+ Stored Cross-Site Scripting vulnerability on January 25, 2023. This rule has been protecting our Wordfence Premium, Wordfence Care and Wordfence Response users since that date, while those still using our free version received this rule on February 24, 2023.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of All In One SEO Pack as soon as possible.
If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.