In de All in One SEO Pack versies 2.3.6.1. en ouder is een enrstige lek gecontstateerd dat een wijdverspreide invloed zal hebben,
Het geeft kwaadwillenden op afstand de mogelijkheid om volledige controle over een WordPress website te krijgen door kwaadaardige HTTP-headers naar willekeurige URL's van de aangevallen site te sturen.

Installeer direct de beveiligingsupdate via https://wordpress.org/plugins/all-in-one-seo-pack

Klanten wiens WP-site onderhouden wordt door FDMstudio hoeven geen actie te ondernemen!



Lees hieronder meer op welke WP-sites deze problematiek van toepassing is:

There is a serious stored cross site scripting (XSS) vulnerability in All in One SEO Pack Plugin versions 2.3.6.1 and older. This plugin is installed on over 1 million active websites and is extremely popular and widely used.

The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site.

This vulnerability is only exploitable on sites that have the “Track Blocked Bots” setting enabled. This setting is not enabled by default. We do not have definitive data to indicate how many users of the plugin have enabled this feature. However, this plugin is extremely popular:

  • All in One SEO Pack has been downloaded over 28 million times (this includes upgrades)
  • It has been around for over 9 years
  • It is one of the most downloaded WordPress plugins. Contrary to its claim of being the most downloaded WordPress plugin, Akismet, Yoast SEO and Contact Form 7 have more downloads.

This attack has a CVSS score of 8.8 (High), however due to the extremely wide-spread use of the All in One SEO Pack plugin, we are adding this additional advisory: Wordfence rates this vulnerability as very serious because it is useful to an attacker and widely exploitable. 

If as few as 10% of sites have the feature enabled, assuming an install base of 5 million active sites, that creates 500,000 vulnerable sites.

What to do

Wordfence Premium customers are already protected against exploitation of this vulnerability. We released a firewall rule to our premium customers early this morning which blocks this exploit. Our free customers will receive the rule on August 12th.

If you are using the free version of Wordfence or are not using Wordfence at all, you will need to immediately upgrade to All in One SEO Pack Plugin version 2.3.7 which contains the fix for this security issue.

Additional Details

This vulnerability was discovered by David Vaartjes and you can find the full technical details of the vulnerability on his site. Congratulations David, from the Wordfence team, on unearthing this serious issue.

A proof of concept has been published on exploit-db, which means this attack is already in the wild.



 


Wednesday, July 13, 2016

« Terug