Semper Plugins

Security Update for All in One SEO Pack

Semper Plugins announces the release of All in One SEO Pack 2.3.8, and All in One SEO Pack Pro 2.4.8, a security update to previous releases. We recommend that users of All in One SEO and All in One SEO Pack Pro upgrade as soon as they are able to do so. 

This release closes a security vulnerability first identified by David Vaartjes in a security hackathon last week. After notifying us, we immediately issued 2.3.7 to patch the issue and protect our customers, which we estimate to have affected less than 0.5% of our customer base. 

Meanwhile, we sought out any similar vulnerabilities in our code base, and asked WordFence, who helped us identify an additional case, to verify our fix, which they have. 

As a third precautionary step, we are currently undergoing independent audits from WordFence, Sucuri and Mark Jacquith, the three most trusted names in WordPress security. While one source might be sufficient, we are going above and beyond in our due diligence to ensure that our codebase and our customers are as secure as possible. 

Although All in One SEO Pack continues to be your best SEO solution for WordPress, bolstered by almost 30 million downloads and 5 million active users, we expect future updates in the coming months as we adopt any recommendations from our security audits to harden our codebase.  As with any plugin, theme or WordPress core, we recommend staying up to date with updates. 

We want to thank David Vaartjes for their responsible reporting. As noted above, a release was issued immediately for the above issue (2.3.7) which we believe would only have been able to affect 0.5% or less of our users. Now we’ve gone even further, scouring our code base for potential vulnerabilities and issuing an additional release today (2.3.8) which WordFence has verified.