The Bleeping Computer website disclosed that the All-In-One Security (AIOS) WordPress security plugin used by more than one million WordPress websites was exposed to record the plaintext passwords that users try to log in to the website database, which may endanger account security.
AIOS is an all-in-one solution developed by Updraft that provides web application firewall, content protection and login security tools for WordPress sites to block bots and prevent brute force attacks.
About three weeks ago, a user reported that the AIOS v5.1.9 plugin not only logs user login attempts into the aiowps_audit_log database table, which tracks login, logout, and failed login events, but also records the passwords entered. The user is concerned that this violates several security compliance standards including NIST 800-63 3, ISO 27000, and GDPR.
Initial report of the vulnerability (wordpress.org)
After receiving the feedback, Updraft responded that the problem was a "known bug" and made a vague promise that it would be fixed in the next version. After realizing the seriousness of the problem, Updraft support provided concerned users with the upcoming development version two weeks ago, but users who tried to install the development version still pointed out that the password log was not deleted.
A fix is now released
On July 11, the AIOS vendor released version 5.2.0, which includes a fix that prevents plaintext passwords from being saved and clears old entries. The AIOS vendor reiterated in its announcement that the 5.2.0 release of AIOS fixes a bug in version 5.1.9 that caused user passwords to be added to the WordPress database in clear text.
This poses some security concerns once "malicious" webmasters try to exploit these passwords on other services where users may use the same passwords. Additionally, once an exposed person's login details are not protected by two-factor authentication on these platforms, "malicious" administrators can easily take over a user's account.
In addition to the security risks posed by "malicious" administrators, sites using AIOS are also at risk of hackers who, once they gain access to the site's database, may leak user passwords in clear text.
As of the publication of the article, WordPress.org statistics show that about a quarter of AIOS users have updated to version 5.2.0, so it is estimated that more than 750,000 websites are still vulnerable.
Even more unfortunately, WordPress has been the target of cyber attackers for a long time, some websites using AIOS may have been compromised, plus the security issue has been circulating on the Internet for more than three weeks, and Updraft did not warn users of the risk of exposure. increase, therefore, some security threat incidents may have occurred.
Finally, websites using AIOS should update to the latest version as soon as possible and require users to reset their passwords.