Serious Vulnerability in All in One SEO Pack Plugin 2.3.6.1 and earlier
There is a serious stored cross site scripting (XSS) vulnerability in All in One SEO Pack Plugin versions 2.3.6.1 and older. This plugin is installed on over 1 million active websites and is extremely popular and widely used.
The vulnerability allows an attacker to send a malicious HTTP User-Agent or Referrer header to the site containing an XSS payload. If the administrator then visits their admin panel and views the “Bad Bot Blocker” settings page in this plugin, the attacker can take full control of their site.
Serious Vulnerability in All in One SEO Pack Plugin 2.3.6.1 and earlier