WordPress.org

Ready to get started?Download WordPress

Forums

All in One SEO Pack
Security issue. Remove version from body (4 posts)

  1. Jim Burnett
    Member
    Posted 5 months ago #

    First let me say that I love your plugin and I am a donator. With that said, please remove the plugin version from the blog body. This allows passive scanning from tools such as wp-scan and poses as security risk in the event that a vulnerability is found with your plugin.

    Thanks

    https://wordpress.org/plugins/all-in-one-seo-pack/

  2. cfultz
    Member
    Posted 5 months ago #

    I completely agree. The plugin is excellent and works well above my expectations for any plugin, but with the version number in the body, this is giving a potential exploit notifier available for any vulnerability scanner. All I'm asking is that you remove the version number. The rest of it is completely cool with me. Thank you for your hard work!

  3. Peter Baylies
    Member
    Plugin Author

    Posted 4 months ago #

    Hi Jim,

    One thing you could try - define AIOSEOP_VERSION in your wp-config.php

    define( 'AIOSEOP_VERSION', 'x.xx' );

    I'll see if it's possible to add an option for this; note that this may not be easy, as the version gets set very early on in the plugin. Also, I can't guarantee that withholding the version number will afford you any real protection - often, hackers run automated tools that try exploits regardless of the displayed version number, without checking for them, because they already know that version numbers displayed on a webpage aren't a reliable way of checking what version of which software may actually be present.

  4. Jim Burnett
    Member
    Posted 4 months ago #

    Peter, Thanks a ton for the reply.

    I was able to find a way to strip all comments from the final output but running filters with ob_start. Not the best solution but it prevents version information like this for being leaked.. Any disclosure of any version information is considered an information disclosure leak, regardless of the priority. While targeted attacks do exploit regardless of version numbers, the bots mainly do not.

    Thank a ton for the consideration!

    -Jim

Reply

You must log in to post.

About this Plugin

About this Topic

Tags