蜗牛相信有不少朋友都在使用All in One SEO Pack这款优秀的WordPress SEO插件工具,但是我们从Wordfence安全文章中看到在3.6.2版本之前都有XSS安全问题,如果我们不及时更新到最新版本话可能会导致我们的网站标题被利用修改,这样还是会给网站造成不必要的麻烦的。
如果我们在使用All in One SEO Pack3.6.1及以前的版本的都是有安全问题的,所以我们需要升级到目前WP官方上架的最新的3.6.2版本。我们可以选择直接后台更新升级或者手动下载替换升级。蜗牛发现我还没有用这款插件,所以不用升级修改。
原文内容:
All in One SEO Pack patched an XSS vulnerability this week that was discovered by the security researchers at Wordfence on July 10. The popular plugin has more than 2 million active installs, according to WordPress.org.
Wordfence researchers categorized it as “a medium severity security issue” that could result in “a complete site takeover and other severe consequences:”
This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.
Version 3.6.2, released on July 15, 2020, includes the following update in the changelog: “Improved the output of SEO meta fields + added additional sanitization for security hardening.”
All in One SEO Pack users are strongly recommended to update to the latest version. At the time of publishing, just 12% of the plugin’s user base is running versions 3.6.x, which includes the three most recent versions. This leaves more than 1.7 million installations (88% of the plugin’s users) vulnerable.
Many users don’t log into their WordPress sites often enough to learn about security updates in a timely fashion. Plugin authors often don’t advertise the importance of the update on their websites or social media. This is the type of situation that WordPress 5.5 should help to mitigate, as it introduces admin controls in the dashboard that allow users to enable automatic updates for themes and plugins.