All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic < 4.6.1.1 – Contributor+ Stored Cross-Site Scripting via Shortcode | CVE 2024-3554 | Plugin Vulnerabilities

Description

The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Proof of Concept

As a contributor, add the following shortcode to a post:

[aioseo_html_sitemap label_tag="img src onerror=alert(/XSS-sitemap/)"]

The XSS will be triggered when anyone access the post dashboard (/wp-admin/edit.php?post_type=post)

Affects Plugins

all-in-one-seo-pack

Fixed in 4.6.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/28741ffc-4ff5-4e67-a183-bb5064b6752e

Classification

Type

CROSS FRAME SCRIPTING

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

Yes

WPVDB ID

827eba98-2b91-4524-a71a-306a0c0e5fb8

Timeline

Publicly Published

2024-04-29 (about 2 years ago)

Added

2024-04-29 (about 2 years ago)

Last Updated

2024-04-29 (about 2 years ago)

Other

Published

Title

Published

2025-11-17

Title

VK All in One Expansion Unit < 9.112.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-06

Title

Otter Blocks PRO < 2.6.4 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

Published

2024-03-25

Title

Easy Textillate < 2.02 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-10-23

Title

Multi Item Responsive Slider <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-02-19

Title

Featured Image from URL (FIFU) < 4.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url