All-In-One Security (AIOS), a popular plugin used on over a million WordPress sites, recently discovered a security issue that could potentially compromise user passwords. The plugin was found to be logging plaintext passwords from login attempts in the database. However, the issue has since been patched in the latest version, 5.2.0.
The problem was first reported on the plugin’s support forum by a user named @c0ntr07. They expressed shock and concern over the fact that a security plugin would make such a basic security mistake. They also mentioned that this vulnerability could lead to a failed security review and audit by third-party compliance auditors.
A support representative from AIOS confirmed that this was a known bug in the previous release and offered a development copy of a zip file with a fix. However, it took more than two weeks for the patch to be officially released.
In version 5.2.0, which was released on July 10, 2023, AIOS included several security updates in the plugin’s changelog. These updates aimed to remove authentication data from the stacktrace before saving it to the database and set tighter restrictions on what subsite admins can do in a multisite environment.
Users are strongly advised to update their AIOS plugin to version 5.2.0 or higher immediately to ensure the security of their sites. Unfortunately, at the time of publishing, very few users have actually updated to the latest version. This means that hundreds of thousands of users are still running version 5.1.9 and remain vulnerable to potential attacks.
Oliver Sild, CEO of Patchstack, a cybersecurity company, expressed concern over the situation on Twitter. He mentioned that due to the widespread use of AIOS, hackers are likely to target compromised sites and harvest credentials from the logs. Patchstack has already sent out vulnerability alerts to all its users and hopes that other security plugin providers, such as Updraft, will do the same. Sild also emphasized the importance of cleaning the logs and changing passwords wherever the same combinations were used.
To protect your WordPress site from potential security breaches, it is crucial to keep all plugins and themes up to date. This includes updating AIOS to version 5.2.0 or higher. Additionally, it is recommended to regularly change passwords and use strong, unique combinations for each site and account.
In conclusion, the AIOS plugin for WordPress recently addressed a security issue that could compromise user passwords. The plugin was logging plaintext passwords from login attempts in the database, but this vulnerability has been patched in version 5.2.0. Users are strongly advised to update their plugin immediately to ensure the security of their sites. Failure to do so could result in compromised credentials and potential attacks. Stay vigilant and prioritize the security of your WordPress site by keeping all plugins and themes up to date, regularly changing passwords, and using strong combinations for each account.