The WordPress security plugin All-in-One Security (AIOS) silently logged users’ sign-in activities and passwords in plaintext. The plugin team fixed the flaw after public disclosure of the matter. Since the patch is now available, WordPress admins must update their websites immediately to prevent potential threats.
AIOS WordPress Plugin Stored Plaintext Passwords
Reportedly, the developer team behind the AIOS WordPress plugin has released a significant update addressing a severe security flaw.
According to their advisory, the plugin vulnerability resulted in logging users’ passwords in plaintext in the WordPress database. The flaw severely risked the WordPress websites’ security if the admins reused the same passwords on other services’ accounts without two-factor authentication.
AIOS – All-in-One Security – is a dedicated WordPress security plugin that protects websites from common cybersecurity threats. These include copywriting protection, iFrame prevention to limit content theft, comment spam filtering, and a web application firewall.
While the plugin boasts tremendous usefulness for websites, the blatant logging of passwords in plaintext seemingly failed the entire purpose of the plugin.
The vulnerability became publicly known after a user reported the matter via the official WordPress support section. As highlighted in the complaint, the plugin logged user login attempts to the aiowps_audit_log database, login and logout attempts, failed sign-in attempts, and the most alarming data – users’ passwords – in plaintext, violating the basic security compliance standards.
In response, the support agent assured the user about an upcoming fix, even sharing the development builds for a quick fix. Nonetheless, given the severity of the issue, the delayed release of the patch concerned numerous users too. Oliver Sild, CEO of Patchstack, also highlighted how the flaw threatened over a million websites in his tweet.
It has more than 1 million active installations btw. So far the developer haven’t even told the users to change all passwords. Due to the scale, we will 100% see hackers harvest the credentials from the logs of compromised sites that run (or has run) this plugin.
— Oliver Sild (@OliverSild) July 12, 2023
The vulnerability affected the AIOS plugin version 5.1.9, and the team subsequently addressed the flaw with the now-released version 5.2.0. The developers have also shared the vulnerability details on the plugin page’s changelog.
Since the patch is now available, all WordPress admins must update their websites with the latest version to avoid potential threats.
Let us know your thoughts in the comments.
