A security vulnerability has been discovered in All in One SEO (AIOSEO), a widely used WordPress plugin with over 3 million active installations. This vulnerability, designated as CVE-2024-3368, enables attackers to inject malicious code into websites, potentially leading to unauthorized access, data theft, and website defacement.
Summary:
- Vulnerability: Authenticated Stored Cross-Site Scripting (XSS)
- Plugin: All in One SEO (AIOSEO)
- Affected Versions: Up to and including 4.6.0
- Discovered by: Dmitrii Ignatyev, CleanTalk Inc
- Impact: Unauthorized access, data theft, website defacement
Security researcher Dmitrii Ignatyev from CleanTalk Inc has been credited with discovering this vulnerability. A proof of concept (POC) for exploiting CVE-2024-3368 has been shared, illustrating how an attacker could inject malicious code into the SEO section of a new post. For example:
https://123.123"asdasd=";alert(1);<img src=x onerror=alert(1)>
Mitigation Steps:
- Update Plugin: Immediately update AIOSEO to the latest patched version.
- Conduct Regular Security Audits: Regularly perform security audits to identify and mitigate vulnerabilities.
- Implement Robust Access Controls: Limit user permissions to essential levels only.
- Utilize Web Application Firewalls (WAFs): Deploy WAFs to detect and block malicious activities.