All-In-One Security (AIOS), a WordPress plugin installed on over 1 million sites, had a bug introduced in version 5.1.9 of the software that caused user passwords to be added to the database in plain text. We have issued a security update because it caused
AIOS administrator UpdraftPlus said, “A malicious site administrator (i.e. a user already logged into the site as an administrator) could have been able to read them.”
“This would be a problem if the site administrator tried that password on other services where the user might be using the same password. If logins for these other services are protected with two-factor authentication, If not, this could be dangerous for users.” Affected websites. “
This issue was reported about 3 weeks ago by a user of the plugin who reported that he was “very shocked that a security plugin was giving such a basic security 101 error” and reported the behavior surfaced with
AIOS also noted that the update would remove existing log data from its database, but for an exploit to be successful, the threat actor must have already compromised the WordPress site by other means and have administrative privileges. , stressed that they must have obtained unauthorized access to unencrypted site backups.
“Therefore, there is less opportunity for someone to gain privileges that they don’t already have,” the company said. “The patched version will stop recording passwords and clear all previously stored passwords.”
As a precaution, we recommend enabling two-factor authentication on WordPress and changing your password, especially if the same credential combination is used on other sites.
This disclosure follows Wordfence’s disclosure of a critical flaw affecting WPEverest’s user registration plugin (CVE-2023-3342, CVSS score: 9.9), which has over 60,000 active installs. rice field. This vulnerability has been resolved in version 3.0.2.1.
“This vulnerability allows an authenticated attacker with minimal privileges, such as a subscriber, to upload arbitrary files, including PHP files, to the vulnerable site’s server,” said István Marton, a Wordfence researcher. It will be possible to run code remotely on
