If you have the All-In-One SEO Pack WordPress plugin installed, your website may be at risk of being compromised if it’s not updated. A update was released on Sunday that patches two vulerabilities.
Over the weekend, Web security firm Sucuri announced that they discovered two security flaws in All in One SEO Pack plugin. The flaws leave your website at risk to attacks by users with non-admin accounts.
In addition to being able to add or modify certain parameters used by the plugin, attackers can also elevate their privileges and inject malicious code into the administration panel.
Sucuri cautions website owners that they may be at risk if their site has subscribers, authors and non-admin users logging in to the wp-admin panel.
If your website allows for open registrations, Sucuri says you are at risk and need to update the plugin right now.
How To Proctect Your Website
It is recommended that WordPress admins update the All in One SEO Pack plug-in to version 2.1.6, which was released on Sunday.
Slobodan Manic, CTO of Search Engine Journal, offers an alternative recommendation:
SEJ migrated some time ago from “All in One SEO Pack” to “WordPress SEO by Yoast”, which historically hasn’t had any security issues. Migrating was really easy.
To migrate to the more secure SEO by Yoast plugin, follow the steps provided in this post. If you’re not interested in using a new plugin, updating your ‘All in One’ plugin should fix the problem just as well.