Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter


SBA Security Advisory – WordPress Plugin – All in One SEO Pack – Stored XSS (CVE-2019-16520)

Vulnerability Overview

The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement.

  • Type of Vulnerability: Cross-site Scripting
  • Fixed in Version: 3.2.7
  • CVSSv3 Vector: AV:N/AC:L/PR::/UI:R/S:U/C:H/I:H/A:N
  • CVSSv3 Base Score: 7.3 (High)

Recommended Countermeasure

We recommend to update the all-in-one-seo-pack plugin to version 3.2.7 or later. For further details, see the full security advisory.


Full Security Advisory