What's Up With WordPress December Edition: 800K Sites Still Affected by SEO Plugin

There's always something up with WordPress these days, so much so, that we might as well cover a story on them every week. This time, over 800 thousand WordPress sites are still impacted by a critical and flawed SEO plugin.


It's about to get technical, but here's what happened and what was affected.

Earlier in December, it was discovered that more than 3 million WordPress sites had a very popular "All-in-One" SEO plugin installed. The plugin had two critical security vulnerabilities that could've exposed all those sites to takeover attacks.

The developers who made the plugin have patched it, but there are still roughly 820,000 sites using the outdated version. So, hackers still pose a threat.

Here's what makes these two vulnerabilities dangerous.

All it requires is someone with low-level permissions like being a "Subscriber" to commit an attack. Subscribers, by the way, are a WordPress user role just like these other roles: Contributor, Author, Editor, and Administrator.

Subscribers can comment on WordPress articles and make changes to their profiles. Hackers found a way to exploit this vulnerability by injecting code that cracks the password (SQL Injection Attack) in the backend login page of a WordPress site.

From there, hackers could make themselves an Admin and do as they please by executing malicious code remotely from their homes.

Any WordPress Admins using this outdated All-in-One SEO plugin must update it ASAP. We don't know how WordPress will reach out to all of them, but it's still a threat.

Having plugin problems like this isn't something WebFindYou users have to worry about.

So, if you're a WordPress user, consider making the switch right now.

Want to read this in Spanish? Spanish Version >>