Open Nav
Sign Up

CVE-2024-3368: Vulnerability in All in One SEO Plugin Threatens Millions of WordPress Sites

Bar Refael

May 21, 2024

A security vulnerability has been discovered in All in One SEO (AIOSEO), a widely used WordPress plugin with over 3 million active installations. This vulnerability, designated as CVE-2024-3368, enables attackers to inject malicious code into websites, potentially leading to unauthorized access, data theft, and website defacement.

Summary:

  • Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
  • Plugin: All in One SEO (AIOSEO)
  • Affected Versions: Up to and including 4.6.0
  • Discovered by: Dmitrii Ignatyev, CleanTalk Inc
  • Impact: Unauthorized access, data theft, website defacement

Security researcher Dmitrii Ignatyev from CleanTalk Inc has been credited with discovering this vulnerability. A proof of concept (POC) for exploiting CVE-2024-3368 has been shared, illustrating how an attacker could inject malicious code into the SEO section of a new post. For example:

https://123.123"asdasd=";alert(1);<img src=x onerror=alert(1)>

Mitigation Steps:

  • Update Plugin: Immediately update AIOSEO to the latest patched version.
  • Conduct Regular Security Audits: Regularly perform security audits to identify and mitigate vulnerabilities.
  • Implement Robust Access Controls: Limit user permissions to essential levels only.
  • Utilize Web Application Firewalls (WAFs): Deploy WAFs to detect and block malicious activities.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.