WordPress.org

Forums

All in One SEO Pack
[resolved] aioseopadmin.pluginPath may be a security risk (5 posts)

  1. jorgeorpinel
    Member
    Posted 2 years ago #

    Using plugin version (2.0.4.1)

    on admin pages, the plugin defines

    var aioseopadmin = {
    ...

    in a <script> tag in the DOM. The pluginPath property has the full PATH to the file system location where the plugin lives.

    Most system admins will consider such a disclosure a security risk. I changed the following line in aioseop_functions.php from

    pluginPath: "<?php print AIOSEOP_PLUGIN_DIR; ?>",

    to

    pluginPath: "<?php print AIOSEOP_PLUGIN_BASENAME; ?>",

    since the value seems to be completely unused anyway.

    Please consider removing that value.

    https://wordpress.org/plugins/all-in-one-seo-pack/

  2. Peter Baylies
    Member
    Plugin Contributor

    Posted 2 years ago #

    Hi jorge,

    Thanks for the report; that's a fine patch for this, I'll see that it gets included into the next release.

  3. Steve Mortiboy
    Support Manager at Semper Fi
    Plugin Author

    Posted 2 years ago #

    Hi jorgeorpinel,

    Thank you for reporting this. We'll fix it in the next release due out this week.

  4. jorgeorpinel
    Member
    Posted 2 years ago #

    Great! I'll upgrade as soon as that happens (and mark this as resolved)
    Thanks :)
    P.S. That was a super quick reply.

  5. jorgeorpinel
    Member
    Posted 2 years ago #

    I can confirm this is fixed in 2.1.4, thanks.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • All in One SEO Pack
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic