WordPress All In One SEO Pack 4.2.9 Cross Site Scripting

WordPress All In One SEO Pack plugin versions 4.2.9 and below suffer from multiple persistent cross site scripting vulnerabilities.


SHA-256 | 74a6135d643e33e4d021ee5ec58f0ee2bd51c430b63b1e5f75fa0e95dc108a92

Affected Plugin: All In One SEO Pack

Plugin Slug: all-in-one-seo-pack

Affected Versions: <= 4.2.9

CVE ID: CVE-2023-0586

CVSS Score: 6.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Ivan Kuzymchak

Fully Patched Version: 4.3.0

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Description: Authenticated (Administrator+) Stored Cross-Site Scripting

Affected Plugin: All In One SEO Pack

Plugin Slug: all-in-one-seo-pack

Affected Versions: <= 4.2.9

CVE ID: CVE-2023-0585

CVSS Score: 4.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Ivan Kuzymchak

Fully Patched Version: 4.3.0

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator-level access or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability Analysis

The All In One SEO Pack plugin provides site owners with an intuitive interface to assist in optimizing site content for search engines, both during setup as well as on an ongoing per-post and per-page basis. Unfortunately, vulnerable versions of this plugin fail to escape submitted site titles, meta descriptions and other elements during post and page creation, and when changing plugin settings. This made it possible for users with access to the post editor, such as contributors, to insert malicious JavaScript into those fields, which would execute in the browser of any authenticated user, such as a site’s administrator, editing such a post or page.

This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.

xss1

This vulnerability is a little more unique than the ones we have covered in the past as the vulnerable code is executed as a result of modifying the Domain Object Model (DOM) in the victim’s browser after the page loads. More specifically, in the screenshot above the plugin uses the input in the Post Title field and creates a Snippet Preview on the fly. The malicious code is stored, but does not get executed until this DOM modification takes place. This type of Cross-Site Scripting vulnerability is often referred to as DOM-XSS.

Similarly, an Administrator could modify the Search Appearance or General Social Media settings to include the same malicious payload, which resulted in malicious JavaScript code execution, when editing pages or posts as well as when viewing the all post/page listing.

xss-admin

It is important to keep in mind that malicious code may be executed within the context of an administrator’s browser sessions and could be used to generate new malicious user accounts and be utilized for code manipulation among other things. As such, these types of vulnerabilities should be taken seriously even if Contributor-level privileges are required for successful exploitation.

Timeline

January 25, 2023 – Wordfence releases a firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability.

January 26, 2023 – The Wordfence team responsibly discloses the vulnerabilities to the plugin vendor.

January 27, 2023 – The vendor confirms receipt and begins work on a fix.

February 6, 2023 – Release 4.3.0 addresses both vulnerabilities.

February 24, 2023 – The firewall rule to address the Contributor+ Stored Cross-Site Scripting vulnerability is released to our Wordfence Free users.

Conclusion

In today’s post, we covered two Cross-Site Scripting vulnerabilities in All In One SEO Pack, a search engine optimization plugin with over 3 Million users. The Wordfence Threat Intelligence team issued a firewall rule providing protection against the Contributor+ Stored Cross-Site Scripting vulnerability on January 25, 2023. This rule has been protecting our Wordfence Premium, Wordfence Care and Wordfence Response users since that date, while those still using our free version received this rule on February 24, 2023.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of All In One SEO Pack as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.


Related Posts