WordPress Plugin Vulnerabilities

All in One SEO Pack < 2.3.7 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

Requires 'Track Blocked Bots setting' to be enabled which it is not by default.

Affects Plugins

Plugin icon
all-in-one-seo-pack
Fixed in 2.3.7

References

URL
https://seclists.org/fulldisclosure/2016/Jul/23
URL
https://web.archive.org/web/20160508074631/http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/
URL
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html
URL
https://wptavern.com/all-in-one-seo-2-3-7-patches-persistent-xss-vulnerability
URL
https://www.wordfence.com/blog/2016/07/xss-vulnerability-all-in-one-seo-pack-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
David Vaartjes
Submitter
firefart
Submitter website
https://firefart.at/
Submitter twitter
_FireFart_
Verified
No
WPVDB ID
aa790e24-ae9d-48b9-8071-7ca138cdc69d

Timeline

Publicly Published
2016-07-10 (about 9 years ago)
Added
2016-07-10 (about 9 years ago)
Last Updated
2020-04-12 (about 6 years ago)

Other

Published
Title
Published
2022-09-08
Title
Export Post Info < 1.2.0 - Admin+ Stored Cross-Site Scripting
Published
2025-10-24
Title
Listeo < 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode
Published
2022-12-29
Title
Top 10 < 3.2.3 - Contributor+ Stored XSS
Published
2014-08-01
Title
Verwei.se WordPress Twitter < 1.0 2 - Cross-Site Scripting (XSS)
Published
2025-01-16
Title
Powie's pLinks PagePeeker <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting