what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress All In One SEO Pack 4.2.9 Cross Site Scripting

WordPress All In One SEO Pack 4.2.9 Cross Site Scripting
Posted Feb 28, 2023
Authored by Ivan Kuzymchak | Site wordfence.com

WordPress All In One SEO Pack plugin versions 4.2.9 and below suffer from multiple persistent cross site scripting vulnerabilities.

tags | advisory, vulnerability, xss
advisories | CVE-2023-0585, CVE-2023-0586
SHA-256 | 74a6135d643e33e4d021ee5ec58f0ee2bd51c430b63b1e5f75fa0e95dc108a92

WordPress All In One SEO Pack 4.2.9 Cross Site Scripting

Change Mirror Download
Affected Plugin: All In One SEO Pack

Plugin Slug: all-in-one-seo-pack

Affected Versions: <= 4.2.9

CVE ID: CVE-2023-0586

CVSS Score: 6.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Ivan Kuzymchak

Fully Patched Version: 4.3.0

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Description: Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Plugin: All In One SEO Pack

Plugin Slug: all-in-one-seo-pack

Affected Versions: <= 4.2.9

CVE ID: CVE-2023-0585

CVSS Score: 4.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Ivan Kuzymchak

Fully Patched Version: 4.3.0

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator-level access or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability Analysis

The All In One SEO Pack plugin provides site owners with an intuitive interface to assist in optimizing site content for search engines, both during setup as well as on an ongoing per-post and per-page basis. Unfortunately, vulnerable versions of this plugin fail to escape submitted site titles, meta descriptions and other elements during post and page creation, and when changing plugin settings. This made it possible for users with access to the post editor, such as contributors, to insert malicious JavaScript into those fields, which would execute in the browser of any authenticated user, such as a site’s administrator, editing such a post or page.

This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.

xss1

This vulnerability is a little more unique than the ones we have covered in the past as the vulnerable code is executed as a result of modifying the Domain Object Model (DOM) in the victim’s browser after the page loads. More specifically, in the screenshot above the plugin uses the input in the Post Title field and creates a Snippet Preview on the fly. The malicious code is stored, but does not get executed until this DOM modification takes place. This type of Cross-Site Scripting vulnerability is often referred to as DOM-XSS.

Similarly, an Administrator could modify the Search Appearance or General Social Media settings to include the same malicious payload, which resulted in malicious JavaScript code execution, when editing pages or posts as well as when viewing the all post/page listing.

xss-admin

It is important to keep in mind that malicious code may be executed within the context of an administrator’s browser sessions and could be used to generate new malicious user accounts and be utilized for code manipulation among other things. As such, these types of vulnerabilities should be taken seriously even if Contributor-level privileges are required for successful exploitation.

Timeline

January 25, 2023 – Wordfence releases a firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability.

January 26, 2023 – The Wordfence team responsibly discloses the vulnerabilities to the plugin vendor.

January 27, 2023 – The vendor confirms receipt and begins work on a fix.

February 6, 2023 – Release 4.3.0 addresses both vulnerabilities.

February 24, 2023 – The firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability is released to our Wordfence Free users.

Conclusion

In today’s post, we covered two Cross-Site Scripting vulnerabilities in All In One SEO Pack, a search engine optimization plugin with over 3 Million users. The Wordfence Threat Intelligence team issued a firewall rule providing protection against the Contributor+ Stored Cross-Site Scripting vulnerability on January 25, 2023. This rule has been protecting our Wordfence Premium, Wordfence Care and Wordfence Response users since that date, while those still using our free version received this rule on February 24, 2023.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of All In One SEO Pack as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close