WordPress plugin All-In-One Security (AIOS) 5.1.9 with severe vulnerability

[German]WordPress users who are still using the plugin All-In-One Security (AIOS) in version 5.1.9 should react immediately. UpdraftPlus, the maintainer, has issued a security alert because the plugin was storing user login passwords in plain text in the database.


In the security alert, dated July 13, 2023, UpdraftPlus writes that a bug in version 5.1.9 has been fixed in plugin AIOS version 5.2.0 and newer. The bug caused users' passwords to be added to the WordPress database in clear text. A malicious website administrator (i.e. a user who is already logged into the website as an administrator) could have then read these passwords.

This becomes a problem when these website administrators try these passwords on other services where your users might have used the same password. If the logins to these other services are not protected by two-factor authentication, this could pose a risk to the affected website.

After the problem was reported, the developer not only fixed it starting with version 5.2.0. But these updates also remove the existing logged data, so that they are no longer present after an update. The information came almost 3 weeks ago from a user who reported the bug in the forum and wrote:

I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)

It's again an example that shows me that it's helpful security-wise to use as few plugins as possible, keep them up to date, and if necessary, not require users to log in. This prevents the exploitation of vulnerabilities in WordPress that can be done by logged in users – as The Hacker News outlines here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *