BugTraq
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin Jul 10 2016 06:46AM
Summer of Pwnage (lists securify nl)
------------------------------------------------------------------------

Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
------------------------------------------------------------------------

David Vaartjes, July 2016

------------------------------------------------------------------------

Abstract
------------------------------------------------------------------------

A stored Cross-Site Scripting vulnerability was found in the Bot Blocker
functionality of the All in One SEO Pack WordPress Plugin (1+ million
active installs). This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------

Tested versions
------------------------------------------------------------------------

This issue was successfully tested on the All in One SEO Pack WordPress
Plugin version 2.3.6.1.

------------------------------------------------------------------------

Fix
------------------------------------------------------------------------

This issue has been fixed in version 2.3.7 of the plugin.

Free version https://wordpress.org/plugins/all-in-one-seo-pack/
Pro version https://semperplugins.com/all-in-one-seo-pack-pro-version/

------------------------------------------------------------------------

Details
------------------------------------------------------------------------

https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all
_in_one_seo_pack_wordpress_plugin.html

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus