One of the most known features of WordPress is its innate ability to be extended by plugins. These plugins can do anything and everything, from integrating email subscription opt-in boxes to optimizing your WordPress site so that it performs better.

The problem is that some of the more popular SEO plug-ins built for WordPress are now putting websites at risk. Research have identified one particular plug-in that could compromise up to 18.5 million websites.

Two Major Flaws Could Leave Millions Vulnerable
Sucuri, a web security firm that specializes in identifying web-based vulnerabilities and assessing them, has identified two key vulnerabilities within the “All in One SEO Pack” plugin for WordPress. This vulnerability puts any website that has certain versions of this plugin and non-administrator users at risk.

The vulnerability works by leveraging two major faults in the plugin.

The first step is to gain access to a non-admin user, which many websites have in the form of reader accounts, forum accounts and author accounts. Even users registered on websites with open registration that would normally have limited access can make use of this flaw to edit things like a the title of content, the description and the keyword tags created by the All in One SEO Pack plugin.

The second step is for the malicious user to elevate the compromised user’s account so that it has administrator access. This allows them to plant malicious JavaScript code directly into the WordPress administration panel.

When an administrator logs into the admin area, the code will automatically run. This can be used to download malicious software on an administrator’s computer, steal session keys and cookies, and many other things that can fully compromise a website that uses WordPress.

Protecting Against Attacks
Websites that currently have the All in One SEO Pack plugin running should navigate to WordPress.org or the plugin’s website to download the 2.1.6 version that was released last Sunday. It fixes both of the aforementioned vulnerabilities.

Security risks caused by WordPress plugins is nothing new. In 2011, it was found that TimThumb, a script bundled with countless popular WordPress themes, had a critical vulnerability that allowed malicious individuals to compromise entire WordPress installations. The vulnerability was so useful that attacks targeting TimThumb still exist today.

The problems posed by vulnerabilities in WordPress plugins like the All in One SEO Pack should be a reminder to website owners to regularly test their website for vulnerabilities and to update their WordPress installations regularly. While WordPress itself may be one of the most safe back-ends for a website to run, the plugins that it runs may not be the most secure.

We will soon be offering a new service to everyone running a WordPress website that will protect you from these type of issues by updating your plug in’s on a daily basis as well as 24/7 monitoring for suspicious activity. Last but not least we also include a back up service where you can restore the website (like time machine) if it’s too late to fix… Sign up now at WP MayDay.com