The WordPress plugin name is the “All in One SEO Pack” and the fix is easy, just make sure to update the plugin immediately, like today.
The vulnerability opened up WordPress blogs that used the plugin, that had subscribers, authors and non-admin users logging in to wp-admin.
Are you a Marwick Marketing client? Don’t worry we’ve already updated yours (if you have it)!
Christian Thomson from Marwick Marketing comments “In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.”
The code in the plugin had two security issues that enabled hackers to:
(1) Conduct privilege escalation
(2) Cross site scripting (XSS) attacks
Again, the fix is simple, just upgrade to the latest version available for this plugin.