If you’re running a WordPress website and you have the hugely popular All in One SEO Pack plug-in installed, it’s a good idea to update it as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the site’s admin account.
The vulnerability is in the plug-in’s Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.
The Bot Blocker feature is designed to detect and block spam bots based on their user agent and referer header values, according to security researcher David Vaartjes, who found and reported the issue.
If the Track Blocked Bots setting is enabled — it’s not by default — the plug-in will log all requests that were blocked and will display them on an HTML page inside the site’s admin panel.