120x600

Critical Security Vulnerability Discovered in All-in-One SEO Plugin Threatening Millions of WordPress Websites


A critical security flaw, CVE-2024-3368, has been found in the widely-used All-in-One SEO plugin for WordPress. Discovered during routine security checks, this vulnerability allows unauthorized injection of JavaScript code, posing a serious risk to millions of websites. Urgent action is advised, including updating the plugin and implementing additional security measures. CleanTalk, a leading provider of WordPress security solutions, remains committed to promptly addressing emerging threats.

CARSON CITY, Nev., May 10, 2024 /PRNewswire-PRWeb/ — Attention WordPress website owners: a critical security issue has been unearthed in the widely utilized All-in-One SEO plugin. Identified as CVE-2024-3368, this vulnerability presents a significant risk, enabling malicious actors to exploit Stored Cross-Site Scripting (XSS) attacks, potentially compromising all websites using All in One SEO.

It’s quite a significant number at the moment, considering that, according to the plugin’s official page, it has more than 3 million active installations.

This vulnerability was not stumbled upon by chance; it was uncovered during routine security assessments conducted by our team. It allows unauthorized contributors to inject JavaScript code into a WordPress post. While this may seem innocuous, it grants unauthorized access to administrative privileges, leaving websites vulnerable to exploitation.

To better understand Stored XSS attacks, picture this: it’s like someone slipping a coded note into your website’s pocket. Later, when that information is displayed on a webpage without scrutiny, the hidden code springs into action, causing havoc.

Exploiting this vulnerability in All in One SEO is disturbingly straightforward. Bad actors can craft a post containing malicious JavaScript code and insert it into the SEO section. Upon interaction with this compromised content by administrators or other users, the malicious script executes, potentially resulting in the creation of admin accounts or other nefarious activities.

Timeline Recap

  • April 3, 2024: Discovery of the issue during All in One SEO testing.
  • April 3, 2024: The plugin’s author was promptly notified, along with a proof of concept for addressing the vulnerability.
  • April 29, 2024: CVE-2024-3368 is officially registered.

With a staggering number of installations, the vulnerability posed by CVE-2024-3368 in All in One SEO demands immediate attention. Failure to act could lead to severe consequences, including website defacement, data theft, or malware dissemination.

Protective Measures

We strongly advise WordPress site owners to promptly update their All in One SEO plugin to the latest patched version to mitigate the risk of CVE-2024-3368 and similar vulnerabilities. Additionally, instituting regular security audits, robust access controls, and deploying web application firewalls (WAFs) can bolster defenses against XSS attacks and other security threats.

By proactively addressing vulnerabilities such as CVE-2024-3368, WordPress website owners can fortify their security posture and shield against potential exploitation. Vigilance is key to staying secure.

Dedicated to Cybersecurity

CleanTalk, known as a top creator of security and antimalware plugins for WordPress, regularly checks plugins for vulnerabilities and alerts users promptly. In the last month, 25 CVEs (Common Vulnerabilities and Exposures) were discovered, highlighting the urgent need for stronger cybersecurity measures online.

Furthermore, 15 security certificates were granted to plugins showing strong defenses against new risks.

Media Contact
Arkhelia Megerko, CleanTalk Inc, 1 7753011130, [email protected], cleantalk.org

SOURCE CleanTalk Inc

About The Author