All in One SEO Pack插件存在安全问题需要及时更新版本

  1. 虚拟主机:糖果主机 | SiteGround | BlueHost
  2. 域名商家:GoDaddy | NameSilo | NameCheap
  3. 云服务商:腾讯云 | 阿里云 | 综合商家

老左相信有不少朋友都在使用All in One SEO Pack这款优秀的WordPress SEO插件工具,但是我们从Wordfence安全文章中看到在3.6.2版本之前都有XSS安全问题,如果我们不及时更新到最新版本话可能会导致我们的网站标题被利用修改,这样还是会给网站造成不必要的麻烦的。

如果我们在使用All in One SEO Pack3.6.1及以前的版本的都是有安全问题的,所以我们需要升级到目前WP官方上架的最新的3.6.2版本。我们可以选择直接后台更新升级或者手动下载替换升级。老左发现我还没有用这款插件,所以不用升级修改。


All in One SEO Pack patched an XSS vulnerability this week that was discovered by the security researchers at Wordfence on July 10. The popular plugin has more than 2 million active installs, according to

Wordfence researchers categorized it as “a medium severity security issue” that could result in “a complete site takeover and other severe consequences:”

This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.

Version 3.6.2, released on July 15, 2020, includes the following update in the changelog: “Improved the output of SEO meta fields + added additional sanitization for security hardening.”

All in One SEO Pack users are strongly recommended to update to the latest version. At the time of publishing, just 12% of the plugin’s user base is running versions 3.6.x, which includes the three most recent versions. This leaves more than 1.7 million installations (88% of the plugin’s users) vulnerable.

Many users don’t log into their WordPress sites often enough to learn about security updates in a timely fashion. Plugin authors often don’t advertise the importance of the update on their websites or social media. This is the type of situation that WordPress 5.5 should help to mitigate, as it introduces admin controls in the dashboard that allow users to enable automatic updates for themes and plugins.


本文固定链接: | 老左笔记




该日志由 老左 于2020年07月22日发表在 WEB前端 分类下, 通告目前不可用,你可以至底部留下评论。
原创文章转载请注明: All in One SEO Pack插件存在安全问题需要及时更新版本