All in One SEO Pack must be suspended until the security vulnerabilities are fixed

[aldenml]

Jeffro, for better or worse (and I don't know if you are happy with it), this forum is quite more effective than any place in WP.org (including the dev blog). The reasons I didn't fully explored all the proper channels are:

- My previous experience with MarkR is a really bad one. Maybe he is doing a terrific job, but I have examples that he was not following the guidelines.

- My previous experience writing an email to WP.org is similar to doing this on my console$ echo "message" > /dev/null

- I would like to see AIOSEO fixed rather than yanked and I know Michael is aware of the problem at least in the original form.

About getting in touch with Michael Torbert (similar question, an author from a popular plugin asked me). Why in this world I need to contact him? He is making money from a popular plugin, he is responsible for a plugin downloaded thousand of times a day, he has left a plugin untouched with recognized security flaws for about 3 months.

[Jeffro]

About getting in touch with Michael Torbert (similar question, an author from a popular plugin asked me). Why in this world I need to contact him? He is making money from a popular plugin, he is responsible for a plugin downloaded thousand of times a day, he has left a plugin untouched with recognized security flaws for about 3 months.

Well then, I don't know what to do. I'm no security expert and I know Michael is a smart guy. I let him know about this particular forum thread but he said that you have not gotten in touch with him and he is not sure what you are referring to regarding the attack so he has no take on the matter.

[chipbennett]

Jeffro, for better or worse (and I don't know if you are happy with it), this forum is quite more effective than any place in WP.org (including the dev blog). The reasons I didn't fully explored all the proper channels are:

- My previous experience with MarkR is a really bad one. Maybe he is doing a terrific job, but I have examples that he was not following the guidelines.

- My previous experience writing an email to WP.org is similar to doing this on my console$ echo "message" > /dev/null

- I would like to see AIOSEO fixed rather than yanked and I know Michael is aware of the problem at least in the original form.

About getting in touch with Michael Torbert (similar question, an author from a popular plugin asked me). Why in this world I need to contact him? He is making money from a popular plugin, he is responsible for a plugin downloaded thousand of times a day, he has left a plugin untouched with recognized security flaws for about 3 months.

I think that, since you have new information regarding the vulnerability - i.e. you have proof-of-concept evidence of an Editor-level exploit - you should definitely send that information to Michael.

After that, the burden of response is completely on him, either to explain why the proof-of-concept was in error, why the exploit isn't dangerous, or else why he has (or hasn't) patched the vulnerability.

(And, since he's an active WPTavern Forum member, I don't think it's too much to expect a response. I'm a bit surprised he hasn't responded yet to this thread.)

[aldenml]

@chipbennett, my common sense is telling me that you are right (despite what I think about this particular plugin business). I have sent an email with the details and how to fix it via contact form in the Michael Torbert blog.

Once the plugin is fixed, I have plans to put all the emails here.

(I'm not surprised at all he hasn't responded to this thread.)

[David Law]

Has the security issue been resolved with All in One?

In the process of adding the plugin as the base for a theme options page to the Stallion SEO Theme http://www.stallion-theme.com/stalli...#comment-10549 and doing my due dillagence on the code I've added and found this thread.

I had a look at the Light SEO code and saw the esc_html code difference between the two plugins, have updated the AIOSEOP I'm using (base is version 1.6.13.8) with esc_html but couldn't confirm that's all needs doing to fix the code (assuming AIOSEOP is still vulnerable?).

Half a dozen Google searches and I couldn't confirm AIOSEOP has been fixed, you'd think with so many users this would have been discussed all over the place.

David

[Pat in Michigan]

I'd like to know an answer to this too. I use the plug in.

[andreasnrb]

Just use WordPress SEO instead =)

[Ryan]

It was present for a year or so but I think it has been fixed now.

Take andreasnnrb's advice though, use WordPress SEO. Joost is awesome.