WordPress.org

Forums

All in One SEO Pack
[resolved] aioseopadmin.pluginPath may be a security risk (5 posts)

  1. jorgeorpinel
    Member
    Posted 1 year ago #

    Using plugin version (2.0.4.1)

    on admin pages, the plugin defines

    var aioseopadmin = {
    ...

    in a <script> tag in the DOM. The pluginPath property has the full PATH to the file system location where the plugin lives.

    Most system admins will consider such a disclosure a security risk. I changed the following line in aioseop_functions.php from

    pluginPath: "<?php print AIOSEOP_PLUGIN_DIR; ?>",

    to

    pluginPath: "<?php print AIOSEOP_PLUGIN_BASENAME; ?>",

    since the value seems to be completely unused anyway.

    Please consider removing that value.

    https://wordpress.org/plugins/all-in-one-seo-pack/

  2. Peter Baylies
    Member
    Plugin Author

    Posted 1 year ago #

    Hi jorge,

    Thanks for the report; that's a fine patch for this, I'll see that it gets included into the next release.

  3. Hi jorgeorpinel,

    Thank you for reporting this. We'll fix it in the next release due out this week.

  4. jorgeorpinel
    Member
    Posted 1 year ago #

    Great! I'll upgrade as soon as that happens (and mark this as resolved)
    Thanks :)
    P.S. That was a super quick reply.

  5. jorgeorpinel
    Member
    Posted 1 year ago #

    I can confirm this is fixed in 2.1.4, thanks.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • All in One SEO Pack
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic