InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

Stored XSS to Admin in Unauthenticated-WordPress

Abusing security features the right way

c0d3x27
InfoSec Write-ups
Published in
6 min readJan 18, 2025

Keywords:

  • nonce
  • HttpOnly
  • Secure

Introduction:

The All in One SEO Pack plugin, a widely-used SEO tool for WordPress with over 1 million active installs, has a critical security vulnerability in one of its feature. This vulnerability, identified as Unauthenticated Stored Cross-Site Scripting (XSS), allows attackers to inject malicious JavaScript code through the headers, leading to execution of harmful scripts on WordPress administrator pages.

This vulnerability expose websites to attacks where an attacker can execute arbitrary JavaScript on the site simply by visiting the public-facing pages.

Blocker Functionalities

In the case of the All in One SEO Pack plugin, the stored XSS vulnerability is triggered by its Blocker functionality. While this feature can help prevent malicious bots from accessing the site, the issue arises when the Track Blocked Bots setting is enabled. When this setting is turned on and a bot requests is detected based on a matching header predefined list of bot names such as bots, the plugin blocks the request and logs the event. This information…

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by c0d3x27

OSCP || OSWE || CompTIA CYSA+, Sec+, A+, ITF+, CSAP | | 0-day Researcher | | Security Consultant

No responses yet