There's a great SEO plugin for WordPress called "All in One SEO Pack" and we're using it on many WordPress websites we've created. As with all software, holes are discovered. A hole was found with this software and we wanted to notify everyone about it:
Update Your All In One SEO Pack WordPress Plugin Now (searchengineland.com)
The vulnerability opened up WordPress blogs that used the plugin, that had subscribers, authors and non-admin users logging in to wp-admin. The code in the plugin had two security issues that enabled hackers to:
(1) Conduct privilege escalation
(2) Cross site scripting (XSS) attacks
Major Exploits Found in All in One SEO Pack WordPress Plugin (searchenginewatch.com)
If you're an All in One SEO Pack plugin user and don't update, the best case scenario could be finding yourself removed from Google's search index for spamming. And because a malicious user could change the title, description, and keyword meta tags, it opens up websites to having that information changed by unauthorized third parties.
Yet one more (why not?):
WordPress is easy to setup and use, that’s why large number of people like it. But if you or your company is using ‘All in One SEO Pack’ WordPress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6.
Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.
To fix this, all you need to do is upgrade the plugin. We would be happy to take care of this for you (1-2 Maintenance Blocks) or else you can do this upgrade yourself in the WordPress plugins manager screen.