The WordPress security plugin All-in-One Security (AIOS) silently logged users’ sign-in activities and passwords in plaintext. The plugin team fixed the flaw after public disclosure of the matter. Since the patch is now available, WordPress admins must update their websites immediately to prevent potential threats.
AIOS WordPress Plugin Stored Plaintext Passwords
Reportedly, the developer team behind the AIOS WordPress plugin has released a significant update addressing a severe security flaw.
According to their advisory, the plugin vulnerability resulted in logging users’ passwords in plaintext in the WordPress database. The flaw severely risked the WordPress websites’ security if the admins reused the same passwords on other services’ accounts without two-factor authentication.
AIOS – All-in-One Security – is a dedicated WordPress security plugin that protects websites from common cybersecurity threats. These include copywriting protection, iFrame prevention to limit content theft, comment spam filtering, and a web application firewall.
While the plugin boasts tremendous usefulness for websites, the blatant logging of passwords in plaintext seemingly failed the entire purpose of the plugin.
The vulnerability became publicly known after a user reported the matter via the official WordPress support section. As highlighted in the complaint, the plugin logged user login attempts to the aiowps_audit_log database, login and logout attempts, failed sign-in attempts, and the most alarming data – users’ passwords – in plaintext, violating the basic security compliance standards.
In response, the support agent assured the user about an upcoming fix, even sharing the development builds for a quick fix. Nonetheless, given the severity of the issue, the delayed release of the patch concerned numerous users too. Oliver Sild, CEO of Patchstack, also highlighted how the flaw threatened over a million websites in his tweet.
The vulnerability affected the AIOS plugin version 5.1.9, and the team subsequently addressed the flaw with the now-released version 5.2.0. The developers have also shared the vulnerability details on the plugin page’s changelog.
Since the patch is now available, all WordPress admins must update their websites with the latest version to avoid potential threats.
Let us know your thoughts in the comments.