1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Serious flaw fixed in widely used WordPress plug-in

Discussion in 'CSO' started by RSS, Jul 11, 2016.

  1. RSS

    RSS New Member Member

    If you're running a WordPress website and you have the hugely popular All in One SEO Pack plug-in installed, it's a good idea to update it as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the site's admin account.

    The vulnerability is in the plug-in's Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.

    The Bot Blocker feature is designed to detect and block spam bots based on their user agent and referer header values, according to security researcher David Vaartjes, who found and reported the issue.

    ALSO ON CSO: How to respond to ransomware threats

    If the Track Blocked Bots setting is enabled -- it's not by default -- the plug-in will log all requests that were blocked and will display them on an HTML page inside the site's admin panel.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page