Persistent Cross-Site Scripting in All in One SEO Pack WordPress- Plugin

From: Summer of Pwnage <lists@securify.nl>
To: bugtraq@securityfocus.com
Cc:
Subject: Persistent Cross-Site Scripting in All in One SEO Pack WordPress- Plugin
Date:


------------------------------------------------------------------------
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Bot Blocker
functionality of the All in One SEO Pack WordPress Plugin (1+ million
active installs). This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the All in One SEO Pack WordPress
Plugin version 2.3.6.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been fixed in version 2.3.7 of the plugin.

Free version https://wordpress.org/plugins/all-in-one-seo-pack/
Pro version https://semperplugins.com/all-in-one-seo-pack-pro-version/

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html 





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.