All In One SEO Pack Vulnerabilities Impacting 3 Million Sites Patched
On January 26, 2023, the Wordfence Team responsibly disclosed two vulnerabilities in All In One SEO Pack, a WordPress plugin installed on over 3 Million sites which provides search engine optimization tools designed to help content creators optimize their sites and reach more users.
Both reported issues were Stored Cross-Site Scripting vulnerabilities with one of them requiring Administrator-level privileges (CVE-2023-0585) while the other was accessible to Contributor users and higher (CVE-2023-0586).
On January 25, 2023 the Wordfence team issued a custom firewall rule to address the Contributor+ Cross-Site Scripting vulnerability and released it to our Wordfence Premium, Wordfence Care, and Wordfence Response users. Wordfence Free users received this rule 30 days later. As of February 24, 2023 All Wordfence users are protected against this vulnerability by this rule.
Description: Authenticated (Contributor+) Stored Cross-Site Scripting
Affected Plugin: All In One SEO Pack
Plugin Slug: all-in-one-seo-pack