Headline
AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text
All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users’ passwords being added to the database in plaintext format. “A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them,” UpdraftPlus, the maintainers of AIOS,
Password Security / WordPress
All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users’ passwords being added to the database in plaintext format.
“A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them,” UpdraftPlus, the maintainers of AIOS, said.
“This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services’ logins are not protected by two-factor authentication, this could be a risk to the affected website.”
The issue surfaced nearly three weeks ago when a user of the plugin reported the behavior, stating they were “absolutely shocked that a security plugin is making such a basic security 101 error.”
AIOS also noted that the updates remove the existing logged data from the database, but emphasized successful exploitation requires a threat actor to have already compromised a WordPress site by other means and have administrative privileges, or gained unauthorized access to unencrypted site backups.
“As such, the opportunity for someone to gain privileges that they did not already have, are small,” the company said. “The patched version stops passwords from being logged, and clears all previous saved passwords.”
As a precaution, it’s recommended that users enable two-factor authentication on WordPress and change the passwords, particularly if the same credential combinations have been used on other sites.
The disclosure comes as Wordfence revealed a critical flaw impacting WPEverest’s User Registration plugin (CVE-2023-3342, CVSS score: 9.9) that has over 60,000 active installations. The vulnerability has been addressed in version 3.0.2.1.
“This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server,” Wordfence researcher István Márton said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hard-coded encryption key and missing file type validation on the ur_upload_profile_pic function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.