GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO
A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Sucuri. It seems like if a web host owns a major security provider they should have a good handle on security, not fail to handle the basics, as the breach showed.
For those knowledgeable about security, the apparent incongruity really wasn’t surprising, since Sucuri has always been run by people that don’t seem to have much grasp on security. That could be seen again in a post earlier this week about vulnerabilities recently fixed in a popular WordPress plugin, All in One SEO.
Timeline
On December 7, updates were released to address a serious vulnerability in all the plugin and another vulnerability.
On the same day, those using an affected version of the plugin started to be automatically updated, even for those without WordPress automatic update process being enabled for the plugin.
On December 13, we provided details on the serious vulnerability to our customers.
On December 14, further details were disclosed by the discoverers, Automattic.
On December 21, Sucuri puts out a post credited to be written by Ben Martin about this. It doesn’t add anything of value, while including a lot of false information. We are guessing the post was intended to get them press coverage (which it did) and promote their service despite nothing indicating that it provided something better than other options here to deal with this situation.
Ben Martin Doesn’t Know WordPress
The author of the post doesn’t seem to have a basic grasp of WordPress, as they claim that user registration is enabled by default with WordPress, which it isn’t:
Both vulnerabilities require that the attacker have an account on the website, but the account could be as low-level as a subscriber. WordPress websites by default allow any user on the web to create an account.
All they would have had to have done to check on that was install a copy of WordPress, but they didn’t.
Before that, the author leaves out an important detail, as the post warns about leaving this unpatched being an issue, while not noting the automatic update that had already occurred two weeks before:
The plugin is used by more than three million websites and if left unpatched could cause some serious headaches for WordPress users.
Wrong Versions
On a key detail, what versions are impacted, Sucuri gets things wrong:
It affects versions 4.0.0 and 4.1.5.2 of All in One SEO.
If your website is using All in One SEO be sure to update to the most recent version as soon as possible!
In reality, as part of the forced update process, new versions were released for older impacted versions. So any of these versions are protected against the vulnerability:
- 4.0.18
- 4.1.0.3
- 4.1.1.2
- 4.1.2.3
- 4.1.3.4
- 4.1.4.5
- 4.1.5.3
(Versions older than 4.0 were not impacted in the first place.)
This seems like it will cause people that got a forced update and are already protected, to be unnecessarily concerned.
Sucuri is not alone in getting this wrong. Automattic’s post gets this wrong as well. So did two of our competitors in providing information on vulnerabilities in plugins:
WordPress Is Secure Where GoDaddy Isn’t
One of the most concerning elements of the GoDaddy’s recent breach is that they were storing the plaintext of customer’s passwords. That is something that would have indicated that security was not being handled correctly many years ago. To have it still happening in 2021 should be shocking.
Instead of storing the plain text, a hashed version (basically one-way encrypted) of the password should be stored. WordPress manages to handle that, though you wouldn’t know that from Sucuri’s post.
The post at one point makes this claim:
When exploited in tandem, these two security holes allow an attacker to take over an unpatched WordPress website.
That is reference to being able to read the contents of the database.
That is further explained later:
However, since the previous vulnerability described allowed for privilege escalation, the attackers could first elevate their privileges and then execute SQL commands to leak sensitive data from the database, including user credentials and admin information.
In terms of user credentials, the attacker could get usernames, which are not intended to be a secret, and the hashed version of passwords. As long as strong passwords were used, then it would be difficult for an attacker to get the password from the hash. Yet to read the post, it is treated as if that is likely to have occurred:
You will also want to review the administrator users present on your website. Remove any suspect users that you do not recognise, and for good measure change all administrator account passwords. It’s also prudent to add some additional hardening to your administrator panel.
Sucuri at no point claims this was exploited before the forced update and we have seen nothing to indicate that, so they seem to be again causing unnecessary concern.
Press Coverage
While Sucuri’s post should be used to warn people that they should be avoided, it has already gotten coverage repeating their misinformation at the Threatpost.
When was Protection Added?
The final paragraph claims that their firewall protects against this, but is oddly silent on when that protection was added:
Users of our firewall are protected against these vulnerabilities.
Considering when their post came out and the lack of mention when that protection was added, it seems like it wasn’t done until well after it would have mattered.
Plugin Security Scorecard Grade for All in One SEO
Checked on March 26, 2025See issues causing the plugin to get less than A+ grade