Wordfence has discovered two vulnerabilities in All In One SEO Pack, a WordPress plugin installed on over 3 Million sites.
Both reported issues were Stored Cross-Site Scripting vulnerabilities with one of them requiring Administrator-level privileges (CVE-2023-0585) while the other was accessible to Contributor users and higher (CVE-2023-0586).
Description: Authenticated (Contributor+) Stored Cross-Site Scripting
The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Description: Authenticated (Administrator+) Stored Cross-Site Scripting
The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator-level access or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Vulnerability Analysis
The All In One SEO Pack plugin provides site owners with an intuitive interface to assist in optimizing site content for search engines, both during setup as well as on an ongoing per-post and per-page basis. Unfortunately, vulnerable versions of this plugin fail to escape submitted site titles, meta descriptions, and other elements during post and page creation, and when changing plugin settings.
This made it possible for users with access to the post editor, such as contributors, to insert malicious JavaScript into those fields, which would execute in the browser of any authenticated user, such as a site’s administrator, editing such a post or page.
This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.
This vulnerability is a little more unique than the ones we have covered in the past as the vulnerable code is executed as a result of modifying the Domain Object Model (DOM) in the victim’s browser after the page loads. More specifically, in the screenshot above the plugin uses the input in the Post Title field and creates a Snippet Preview on the fly. The malicious code is stored but does not get executed until this DOM modification takes place. This type of Cross-Site Scripting vulnerability is often referred to as DOM-XSS.
Similarly, an Administrator could modify the Search Appearance or General Social Media settings to include the same malicious payload, which resulted in malicious JavaScript code execution, when editing pages or posts as well as when viewing all post/page listing.
It is important to keep in mind that malicious code may be executed within the context of an administrator’s browser sessions and could be used to generate new malicious user accounts and be utilized for code manipulation among other things. As such, these types of vulnerabilities should be taken seriously even if Contributor-level privileges are required for successful exploitation.
If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of All In One SEO Pack as soon as possible.
