CVE-2024-3554 in All in One SEO Plugin
Summary
by MITRE • 05/02/2024
The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/06/2025
The All in One SEO plugin represents one of the most widely used SEO solutions for WordPress installations, with over 10 million downloads across various versions. This particular vulnerability affects all versions up to and including 4.6.0, making it a significant concern for WordPress administrators who rely on this plugin for their search engine optimization needs. The plugin's functionality includes generating shortcodes that allow users to embed SEO elements directly into their content, which creates an attack surface that malicious actors can exploit to compromise website security.
The technical flaw stems from insufficient input sanitization and output escaping mechanisms within the plugin's shortcode implementation. When administrators or contributors with appropriate privileges create or modify content containing these shortcodes, the plugin fails to properly validate or escape user-supplied attributes before rendering them in the final HTML output. This vulnerability specifically manifests as a stored cross-site scripting condition, meaning that malicious scripts are permanently stored within the website's database rather than being executed only during a single request. The flaw allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into shortcode attributes, which then executes whenever any user accesses the affected pages.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent threat vector that can be exploited for various malicious purposes. Attackers can leverage this vulnerability to steal user session cookies, redirect visitors to malicious websites, deface the website content, or even establish persistent backdoors within the WordPress installation. The stored nature of the XSS vulnerability means that the malicious code remains active until manually removed by administrators, potentially affecting all users who access the compromised pages. This threat is particularly concerning for contributor-level attackers because it requires minimal privileges to exploit, making it accessible to users who should normally have limited administrative capabilities.
Security professionals should note that this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications. The attack pattern follows typical stored XSS exploitation methods where malicious input is first stored on the server and then served to other users. From an ATT&CK framework perspective, this vulnerability maps to technique T1566.001 for initial access through malicious content and T1059.001 for command and control through script execution. Organizations should implement immediate mitigations including updating to the patched version of the plugin, implementing proper input validation at the application level, and conducting thorough security audits of all installed plugins. Additionally, administrators should consider implementing web application firewalls to detect and block suspicious shortcode attribute patterns, while also establishing monitoring procedures to identify unauthorized content modifications. The vulnerability underscores the critical importance of proper sanitization and escaping mechanisms in web applications, particularly those handling user-generated content, and serves as a reminder that even seemingly benign plugins can introduce significant security risks when proper input validation is not implemented.