July 16

2 Million Users Suffering from Vulnerability in All in a single SEO Pack

WordPress Vulnerabilities

0  comments

This post was originally published on this site

On July 10, 2020, our Threat Cleverness group discovered a vulnerability within All IN A SINGLE SEO Pack, the WordPress plugin installed upon over 2 million websites. This flaw permitted authenticated customers with contributor level accessibility or above the opportunity to inject malicious scripts that might be executed in case a victim accessed the wp-admin panel’s ‘all posts’ page.

We reached out there to the plugin’s team exactly the same time of discovery on July 10, 2020 and a patch premiered just a couple days down the road July 15, 2020.

This is known as a medium severity security issue that, much like all XSS vulnerabilities, can lead to complete site takeover along with other severe consequences. We strongly suggest instantly updating to the most recent version of the plugin. During writing, that’s version 3.6.2 of most in a single SEO Pack.

Wordfence Premium clients received a fresh firewall guideline on July 10, 2020 to safeguard against exploits targeting this vulnerability. Free Wordfence customers will receive this principle after four weeks, on August 9, 2020.


All IN A SINGLE SEO Pack is really a plugin that delivers several SEO enhancing features to greatly help rank a WordPress site’s content higher on se’s. Within its functionality, it allows users which have the opportunity to create or edit posts to create an SEO title and SEO description directly from the post as it has been edited. This helps it be easier for post creators to boost the SEO of posts because they are writing them. This feature can be acquired to all users that may create posts, such as for example contributors, authors, and editors.

Unfortunately, the SEO meta data for posts, like the SEO title and SEO description fields, had no input sanitization allowing lower-level users like contributors and authors the capability to inject HTML and malicious JavaScript into those fields.

	/**
	 * Saves the info of our metabox settings for a post.
	 *
	 * @since   ?
	 * @since   3.4.0   Added support for priority/frequency + minor refactoring.
	 *
	 * @param   int     $id     The ID of the post.
	 * @return  bool            Returns false when there is no POST data.
	 */
	function save_post_data( $id ) 
		$awmp_edit = null;
		$nonce     = null;

		if ( empty( $_POST ) ) 
			return false;
		

		if ( isset( $_POST['aiosp_edit'] ) ) 
			$awmp_edit = $_POST['aiosp_edit'];
		

		if ( isset( $_POST['nonce-aioseop-edit'] ) ) 
			$nonce = $_POST['nonce-aioseop-edit'];
		

		if ( isset( $awmp_edit ) && ! empty( $awmp_edit ) && wp_verify_nonce( $nonce, 'edit-aioseop-nonce' ) ) 

			$optlist = array(
				'keywords',
				'description',
				'title',
				'custom_link',
				'sitemap_exclude',
				'disable',
				'disable_analytics',
				'noindex',
				'nofollow',
				'sitemap_priority',
				'sitemap_frequency',
			);

			if ( empty( $this->options['aiosp_can'] ) ) 
				unset( $optlist['custom_link'] );
			

			if ( ! AIOSEOPPRO ) 
				$optlist = array_diff( $optlist, array( 'sitemap_priority', 'sitemap_frequency' ) );
			

			foreach ( $optlist as $optionName ) 
				$value = isset( $_POST[ "aiosp_$optionName" ] ) ? $_POST[ "aiosp_$optionName" ] : '';
				update_post_meta( $id, "_aioseop_$optionName", $value );
			
		
	

Here is really a look at where these fields could be edited in the post editor:

SEO area in post from All in a single SEO Pack.

The SEO title and SEO description for every post are always displayed on the ‘all posts’ page because they come in the far right column for easier quick editing access. Therefore, any values put into the SEO title and SEO description fields will be displayed within an unsanitized format, causing saved JavaScript in these fields to be executed when any user accessed the ‘all posts’ page.

The SEO Title and SEO Description areas that appear on the ‘all posts’ admin area.

Any JavaScript injected in the SEO description field would also be executed when visiting the page directly in case a closing tag was inserted by an attacker before adding their very own script. For example, it might appear to be </script><script>alert(0)</script>. This is because of the fact that the tag would close out the SEO description’s original script tag and inject yet another script directly after.

Using a closing script tag to start out a fresh script.

Due to the JavaScript being executed every time a user accessed the ‘all posts’ page, this vulnerability will be a prime target for attackers that can gain access to a merchant account that allows them to create content. Since Contributors must submit all posts for review by an Administrator or Editor, a malicious Contributor could possibly be confident a higher privileged user would access the ‘all posts’ area to examine any pending posts. If the malicious JavaScript was executed within an Administrator’s browser, maybe it’s used to inject backdoors or add new administrative users and dominate a site.

Fortunately, in the patched version, the plugin developer has added sanitization to all or any of the SEO post meta values so any HTML characters supplied will undoubtedly be escaped and struggling to become executable scripts.

Proof of Concept Walkthrough

How Concerning Is really a Contributor+ vulnerability?

The great news concerning this vulnerability is that it needs a high degree of permissions to exploit, rendering it more challenging for attackers to really utilize within an attack. Therefore, it really is less inclined to be targeted within a mass automated campaign. It might, however, be one additional approach to escalating a far more sophisticated attack. Therefore, there are many security precautions you need to always remember to try help protect your website against vulnerabilities targeting higher-level user exploits.

Always utilize the principle of least privilege.
Least privilege is really a security concept that shows that users discover the minimal quantity of privileges necessary to do their job. Which means that if you are supplying users with usage of your site, factors to consider you’re providing them with minimal amount of privileges had a need to perform any needed actions. If your users don’t have to write posts but need a merchant account, make sure you are just providing them with subscriber-level access or equivalent. You can read more about WordPress Roles and Capabilities here.

We understand that in some instances you may want to provide users with slightly more privileges to accomplish certain tasks than their normal day-to-day routine. In such cases, we recommend providing users with temporarily elevated privileges and revoking those privileges after the task has been completed.

For example, if you wish to have someone write a guest post on your own WordPress blog, we recommend providing them with contributor-level usage of write the post and, after they are finished, downgrade their privileges to subscriber-level. After they are done writing the guest post they no more need contributor-level privileges, therefore, maintaining the principle of least privilege by downgrading those privileges is optimal for the site’s security.

Along with this particular, we recommend auditing your site’s user accounts to be sure you can find no rogue or left-over accounts that needs to be deleted. Leaving unused accounts on a niche site provides attackers with an increase of possible intrusion vectors for exploiting vulnerabilities that want higher-level permissions.

Trust and verification are essential when providing users with usage of your website.
When providing users with higher-level roles like contributor, author, and editor, we recommend verifying that an individual can be trusted. This is done by checking references or establishing security protocols limiting usage of people who work with reputable companies.

If someone calls you, supplies you with a contact, or contacts you at all saying they need usage of your site for just about any reason, and it’s not via someone you understand and trust, then it could be a social engineering attempt. Never provide credentials or user account access if you don’t can trust and verify who you’re providing that information to.

Always be sure you never share accounts or passwords. Instead, establish separate accounts and pick the option to notify an individual concerning the account via email. In this manner, the user can create their own password, and you may enforce strong passwords using Wordfence, in order that passwords should never be transmitted via email that ought to be looked at an insecure channel of communication. When you are not sharing accounts, it is possible to always revoke access immediately for a fresh user if malicious actions begin to appear.

Use and enforce strong passwords for customers, especially people that have higher privileges.
We recommend enforcing strong passwords for several users, however, accounts with higher privileges have an increased risk as they have significantly more capabilities connected with their account. Because of this, strong passwords are really important to enforce, to be able to mitigate the risk connected with attackers gaining unauthorized usage of these accounts through password compromising attack techniques like brute force.

We also recommend enforcing two-factor authentication for several users, especially people that have higher level capabilities, to greatly help offer an extra layer of login security and protection against brute force attacks and compromised passwords. Wordfence makes this easy with built-in functionality that may be within the “Login Security” section of the Wordfence plugin or by using the standalone Wordfence Login Security Plugin. It is possible to learn more on how best to enable and configure these settings here.

Disclosure Timeline

July 10, 2020 – Initial discovery and analysis of vulnerability. Firewall rule premiered for Wordfence Premium customers. Initial outreach to the Semper plugin team.
July 13, 2020 – The lead developer at Semper confirms a proper discussion channel. We offer full disclosure.
July 15, 2020 – A patch premiered (version 3.6.2).
August 9, 2020 – Free Wordfence users receive firewall rule.

Conclusion

In today’s post, we detailed a flaw that allowed higher-level WordPress users the capability to inject malicious scripts into posts in the All in a single SEO plugin. This flaw has been fully patched in version 3.6.2. We advise that users immediately update to the most recent version available at enough time of scanning this.

Sites running Wordfence Premium have already been protected from attacks from this vulnerability since July 10, 2020. Sites running the free version of Wordfence will receive this firewall rule update on August 9, 2020. Once you learn a pal or colleague by using this plugin on the site, we strongly suggest forwarding this advisory in their mind in order to update and protect their WordPress site.

Special many thanks to the Lead Developer for several in a single SEO Pack, Benjamin Rojas, for working quickly to obtain a patch out to safeguard users. 

The post 2 Million Users Suffering from Vulnerability in All in a single SEO Pack appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

WordPress Vulnerability Information, October 2020

Vulnerability Exposes Over 4 Million Sites Using WPBakery

High Severity Vulnerabilities within Post Grid and Group Showcase Plugins

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!