Wordfence has published the details of two stored XSS vulnerabilities the company responsibly disclosed to the developers of the All In One SEO plugin in January 2023. The vulnerabilities potentially impacted more than 3 million users on versions 4.2.9 and earlier.

One vulnerability, which received a 6.4 (Medium) CVSS score, Wordfence attributes to insufficient input sanitization and output escaping. Researchers found that this “makes it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The second vulnerability was given a 4.4 (Medium) CVSS score and requires an authenticated attacker to have Administrator-level privileges. Wordfence outlined how attackers might exploit these vulnerabilities:

Unfortunately, vulnerable versions of this plugin fail to escape submitted site titles, meta descriptions and other elements during post and page creation, and when changing plugin settings. This made it possible for users with access to the post editor, such as contributors, to insert malicious JavaScript into those fields, which would execute in the browser of any authenticated user, such as a site’s administrator, editing such a post or page.

This is a likely scenario to occur as posts written by contributors have to be reviewed and moderated prior to publication.

All In One SEO has patched both vulnerabilities in version 4.3.0 but so far only 25.5% of the plugins 3+ million user base has updated to the latest version, leaving approximately 3/4 of the plugin’s users still vulnerable.

The plugin’s changelog for version 4.3.0 includes a brief, vague note on the security fix included: “Updated: Additional security hardening.” There have been two more releases of the plugin since the vulnerabilities were patched in 4.3.0.