back to article Nasty session stealing hole filled in WordPress All in One SEO plugin

The developers have patched a hole in the popular All in One search engine optimisation WordPress plugin, a tool that's been downloaded by some 30 million users and is used on a million sites. Flaws exist in the Bot Blocker component which can be exploited to steal administrator tokens and conduct actions through cross-site …

  1. Ole Juul

    SEO

    lures the gullible

  2. Dick Kennedy

    Is this story out of date? My sites all already show the plugin at version 2.3.7, and they haven't been updated recently...

  3. Bronek Kozicki
    Pint

    Security hole in a WordPress plugin

    In other news, Adobe will soon release patch for another Flash vulnerability.

    The icon? It's beer for me, because I do not use either.

  4. Anonymous Coward
    Anonymous Coward

    Good old wordpress, allowing those people claiming to be web developers, but with no proper web authoring or security skills (normally from the print design industry) to make lovely pwn-able sites for other people that can just about open a web browser, what could possibly go wrong. Virus and Malware email malvertisers love them, inspecting the sites used for these and phishing attacks its nearly always hosted on the back of exploited wordpress sites. And before i start a flame war, yes people who know what they are doing do also from time to time use wordpress properly and create updated and secure sites. But more often than not its used by some idiot who has no need to use wordpress at all other than they cant write a fully working page of html if their life depended on it.

    1. BillG
      Angel

      A Matter of Trust

      Good old wordpress, allowing those people claiming to be web developers, but with no proper web authoring or security skills (normally from the print design industry) to make lovely pwn-able sites for other people that can just about open a web browser, what could possibly go wrong.

      Call me old fashioned, but I just can't trust code that I did not write myself.

      1. Anonymous Coward
        Anonymous Coward

        Re: A Matter of Trust

        I like Wordpress. If it's set up properly and kept updated then it's very good for lower-tech users who can change and edit bits without having to call in expensive experts every time. It's a primo target for hackers, of course; but Wordpress are pretty fast with patches.

        I prefer manual patching; but you can set it to keep itself updated if you know it's going to be an unattended install. The real problem is clueless owners employing only-slightly-less clueless 'designers' who knock up a site and move on without telling the site to keep itself updated. Then it's just a matter of time.

      2. Keith 21
        Trollface

        Re: A Matter of Trust

        "Call me old fashioned, but I just can't trust code that I did not write myself."

        Cool! So you wrote your own browser, running under you own OS, compiled by your own compiler, and connecting to the internet through a router / modem running firmware which you wrote? Fantastic job!

        1. BillG
          Pint

          Re: A Matter of Trust

          > "Call me old fashioned, but I just can't trust code that I did not write myself."

          Cool! So you wrote your own browser, running under you own OS,...

          I never wrote that I would not use it, I wrote that I would not trust it.

          For a website, I'd much rather write my own server-side code and HTML as that gives me the most flexibility, and enables the best efficiency. I know where everything is, and I can block potential attacks.

          No, I did not write my own server OS. But I do trust the people that manage my server and that makes it O.K.

          1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Wix too

      Good old wordpress, allowing those people claiming to be web developers, but with no proper web authoring or security skills (normally from the print design industry) to make lovely pwn-able sites for..

      Seems plenty are moving to that abomination Wix instead.

      Now every site has horrible pictures whizzing across too fast and they all look the same

      Depressing what's happened really

  5. Anonymous Coward
    Anonymous Coward

    This is why...

    Being a Unix-minded user I've always been a bit weary with programs that claim to be "all in one". I more than often don't need all in one: I need a program (or plugin) which does its job without trying to pretend its more than it actually is.

    A good example from my past is Avast. I used to really like that virus scanner until they became an "Internet suite". Suddenly the virus scanner had to include firewall and website blacklist features; stuff which I didn't need. Worse yet: in the beginning the product was horrid. Whenever I used Torrent the firewall just couldn't keep up with the amount of parallel connections and would crash my PC more than often, making me really wonder what had happened.

    You want a SEO feature? Then you really don't need some weird "All in one" thingie, Yoast's SEO plugin is all you need. And better yet: no backdoors either :)

  6. Andy3

    I'm sorry, perhaps it's just me. I can't get any meaning out of this headline at all, it's just a string of words. Ah, I think the penny has dropped - should there be a hyphen between session and stealing?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021