Login

Tag Archives: All in One SEO

Plugin Security Scorecard Grade for All in One SEO

Checked on March 26, 2025
F

See issues causing the plugin to get less than A+ grade

17 Sep 2024

Awesome Motive’s 3+ Million Install All in One SEO Plugin Is Tracking Usage Without Consent

The WordPress Plugin Review Team is currently considering restrictions on plugins from automatically installing additional plugins when setting up a plugin. A couple of the major offenders, when it comes to doing that, have chimed in. Unsurprisingly, they are suggesting not stopping that from happening. One of those was the CEO of the not so awesome Awesome Motive. Their automatic installation of additional plugins causes problems for users of Awesome Motive plugins, as well as introducing additional security risk to the websites, as their plugins have had plenty of security vulnerabilities over the years. While looking in to how those players are currently handling that automatic installation, we noticed that a couple of multi-million installs plugins from them are tracking usage without users choosing to opt in, and in the case Awesome Motive’s 3+ Million Install All in One SEO, without disclosing that usage tracking is being enabled.

Here is how the guidelines for the Plugin Directory explain how usage tracking should be handled: [Read more]

10 Mar 2023

Not Really a WordPress Plugin Vulnerability, Week of March 10

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) Stored Cross-Site Scripting in All in One SEO

Wordfence claimed that the plugin All in One SEO had contained a authenticated (Administrator+) stored cross-site scripting vulnerability, which they described in part this way: [Read more]

23 Dec 2021

GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO

A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Sucuri. It seems like if a web host owns a major security provider they should have a good handle on security, not fail to handle the basics, as the breach showed.

For those knowledgeable about security, the apparent incongruity really wasn’t surprising, since Sucuri has always been run by people that don’t seem to have much grasp on security. That could be seen again in a post earlier this week about vulnerabilities recently fixed in a popular WordPress plugin, All in One SEO. [Read more]