WordPress.org

Forums

All in One SEO Pack
Security issue. Remove version from body (4 posts)

  1. Jim Burnett
    Member
    Posted 1 year ago #

    First let me say that I love your plugin and I am a donator. With that said, please remove the plugin version from the blog body. This allows passive scanning from tools such as wp-scan and poses as security risk in the event that a vulnerability is found with your plugin.

    Thanks

    https://wordpress.org/plugins/all-in-one-seo-pack/

  2. cfultz
    Member
    Posted 1 year ago #

    I completely agree. The plugin is excellent and works well above my expectations for any plugin, but with the version number in the body, this is giving a potential exploit notifier available for any vulnerability scanner. All I'm asking is that you remove the version number. The rest of it is completely cool with me. Thank you for your hard work!

  3. Peter Baylies
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Jim,

    One thing you could try - define AIOSEOP_VERSION in your wp-config.php

    define( 'AIOSEOP_VERSION', 'x.xx' );

    I'll see if it's possible to add an option for this; note that this may not be easy, as the version gets set very early on in the plugin. Also, I can't guarantee that withholding the version number will afford you any real protection - often, hackers run automated tools that try exploits regardless of the displayed version number, without checking for them, because they already know that version numbers displayed on a webpage aren't a reliable way of checking what version of which software may actually be present.

  4. Jim Burnett
    Member
    Posted 1 year ago #

    Peter, Thanks a ton for the reply.

    I was able to find a way to strip all comments from the final output but running filters with ob_start. Not the best solution but it prevents version information like this for being leaked.. Any disclosure of any version information is considered an information disclosure leak, regardless of the priority. While targeted attacks do exploit regardless of version numbers, the bots mainly do not.

    Thank a ton for the consideration!

    -Jim

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • All in One SEO Pack
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags