Welcome to WebmasterWorld Guest from 54.166.247.229

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

Flaws in Popular SEO plug-in put WordPress websites at risk

All in One SEO Pack

     
2:05 pm on Jun 2, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38059
votes: 13


Researchers from Web security firm Sucuri found two flaws in a plug-in called “All in One SEO Pack” that potentially allow attackers with access to non-administrative WordPress accounts to elevate their privileges and inject malicious code into the administration panel.

[pcworld.com...]



WordPress site administrators are advised to upgrade the “All in One SEO Pack” plug-in to version 2.1.6 which was released Sunday in the WordPress add-ons repository. An update can also be initiated from the plug-in’s administration panel.


The flaws allowed hackers to launch privilege escalation and cross site scripting attacks against vulnerable sites running old versions below 2.1.6. The plugin has been downloaded nearly 19 million times.

[theregister.co.uk...]
2:11 pm on June 2, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Nice find Brett. It pays to keep tabs on the security blogs.
9:16 pm on June 2, 2014 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14158
votes: 196


Here's what's on Twitter from the creator of All In One SEO Pack:


Michael Torbert @michaeltorbert ·
Jun 1
Watching @pbaylies from @semperfidev talk about debugging your WordPress at WordCamp Asheville #wcavl



Here is what's on Yoast's Twitter stream:


Joost de Valk @yoast - Jun 1

Now might be a good time to remind you that WP SEO has a built-in import feature for All In One SEO Pack. Just switch :-)


Who do you think is on the ball?
9:26 pm on June 2, 2014 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38059
votes: 13


Nice promo martinibuster. You a Yoast affiliate? ;-) lol
10:44 pm on June 2, 2014 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14158
votes: 196


Ha! Nope, no way. Omg, my leg's been pulled. :P Actually I'm anti-SEO packs. I just don't see the point of it.

I was checking the All in One WP download page to see which of the two it was, Yoast or the other one. Saw a link to the twitter page for the creator of it and was shocked to see he had nothing on his twitter stream on it.

Kiss of death with Matt Cutts tweeting about it.
12:25 am on June 3, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member

joined:Apr 14, 2010
posts:3169
votes: 0


There is no addon or pack out there that can do a better job than applying changes manually to your own themes, the only limit is your knowledge and imagination.

I've disliked Wordpress's approach of saying "the SEO is fine" when guys like Matt Cutts and places like Webmaster Tools tell you that you should probably modify your titles etc. If Wordpress covered the basics then there would be less need for addons and modifications. It's time, wordpress.
3:23 pm on June 3, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


MT might be handling it and doing damage control by not talking about it. Not saying that's a good idea but that is how some people handle such things.

>> I just don't see the point of it.

Bingo. I'm testing Yoast's on one of my sites and I think it actually does more harm than good.
10:04 pm on June 4, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member ogletree is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 14, 2003
posts:4276
votes: 24


I stopped using that last year when I was told there was a problem with it. I can't find it but I do remember being told about this same problem in 2013.