We've got a security alert from Media Temple today, saying this:
"This is an important security notice from (mt) Media Temple. During a routine security scan, we found indications that ...(domain name)... is running a vulnerable version of the All in One SEO Pack plugin for WordPress. The security vulnerabilities allow for cross-site scripting (XSS) attacks and privilege escalation attacks. This means that a member of your site (an author, subscriber, etc.) could possibly edit certain SEO fields on posts they don't normally have access to. This includes the SEO title, description, and keywords. "
We've checked the version of All in One SEO plugin, and we have installed version 2.1.6, which is the latest, even when we have WordPress 3.8.3 in there. We saw that the plugin was also Last updated on June 2nd. 2014, but the version number has not changed.
So, do we have to update All in One SEO Plugin manually anyway, even though the latest version number is the same we have installed, or is this an automatic email that Media Temple sends out to every hosting client they have and we can just disregard it?