Security researchers have discovered vulnerabilities in a widely used WordPress extension that leaves sites susceptible to remote hijacking.

WordPress-powered sites that use the All in One SEO Pack should promptly install an update that fixes the privilege escalation vulnerabilities, Marc-Alexandre Montpas, a researcher with security firm Sucuri wrote in a blog post published Saturday. Administrators can upgrade by logging in to the admin panel, selecting plug-ins, and choosing the All in One title. The just-released version that fixes the vulnerabilities is 2.1.6.

The worst of the attacks made possible by the bugs can allow attackers to inject malicious code into the admin control panel, Montpas warned. Malicious hackers could then change an admin's password or insert backdoor code into the underlying websites. People could also remotely tamper with a site's search engine optimization settings. To exploit the bugs, attackers need only an unprivileged account on the site, such as one for posting reader comments. In some cases, the privilege escalation and cross-site scripting bugs in All in One SEO are combined with another vulnerability that Montpas didn't elaborate on.

"If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk," the researcher wrote. "If you have open registration, you are at risk, so you have to update the plugin now."

The bug report and fix comes a week after a researcher disclosed an unrelated weakness in WordPress.com-hosted sites that in many cases made them susceptible to hijacking. Developers say the unsafe browser cookie flaw will be fixed in the next scheduled WordPress release. All in One SEO has been downloaded more than 18.5 million times.