CVE-2024-3368: Vulnerability in All in One SEO Plugin Threatens Millions of WordPress Sites

Bar Refael

May 21, 2024

A security vulnerability has been discovered in All in One SEO (AIOSEO), a widely used WordPress plugin with over 3 million active installations. This vulnerability, designated as CVE-2024-3368, enables attackers to inject malicious code into websites, potentially leading to unauthorized access, data theft, and website defacement.

Summary:

  • Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
  • Plugin: All in One SEO (AIOSEO)
  • Affected Versions: Up to and including 4.6.0
  • Discovered by: Dmitrii Ignatyev, CleanTalk Inc
  • Impact: Unauthorized access, data theft, website defacement

Security researcher Dmitrii Ignatyev from CleanTalk Inc has been credited with discovering this vulnerability. A proof of concept (POC) for exploiting CVE-2024-3368 has been shared, illustrating how an attacker could inject malicious code into the SEO section of a new post. For example:

https://123.123"asdasd=";alert(1);<img src=x onerror=alert(1)>

Mitigation Steps:

  • Update Plugin: Immediately update AIOSEO to the latest patched version.
  • Conduct Regular Security Audits: Regularly perform security audits to identify and mitigate vulnerabilities.
  • Implement Robust Access Controls: Limit user permissions to essential levels only.
  • Utilize Web Application Firewalls (WAFs): Deploy WAFs to detect and block malicious activities.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox