On Saturday, security researchers at Sucuri.net disclosed vulnerabilities in a widely used WordPress extension, All-in-One-SEO-Pack, that leaves sites susceptible to remote hijacking.

This vulnerability can allow attackers to inject malicious code into the WordPress admin dashboard using cross site scripting (XSS). Malicious hackers can then change an admin’s password or insert backdoor code into the WordPress site, as well as have full access and control of that site.  In order to exploit this vulnerability, the attackers need only an unprivileged account on the site, such as one for posting reader comments, or a subscriber account, to escalate their privileges with this vulnerability.

WordPress-powered sites that use the All-in-One-SEO-Pack should promptly install the version 2.1.6 update that fixes the privilege escalation vulnerabilities. WordPress Administrators can upgrade by logging in to their WordPress dashboard, selecting PLUGINS, selecting the All in One SEO Pack, and choosing UPDATE.