May 5, 2024

All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0.

A support representative from AIOS confirmed that it was a known bug in the last release and offered a development copy of a zip file with a fix. It took more than two weeks for the patch to be published.

It was discovered that AIOS version 5.1.9 writes plaintext passwords from login attempts to the database, which essentially provides any privileged user with access to the login credentials of all other administrator users.

Advertisements

Mainteners of the plugin released AIOS version 5.2.0 to address the issue and remove the logged passwords from the database. However, plugin users have been complaining about the update breaking sites and not removing the password logs. AIOS version 5.2.1 was released on Wednesday to address these issues, but some users claim sites are still broken.

Users are advised to update to version 5.2.0+ immediately in order to secure their sites. At the time of publishing, almost no users have updated to 5.2.0+, leaving hundreds of thousands of users who are running 5.1.9 still vulnerable.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

TheCyberThrone Security Week In Review – May 04, 2024

May 4, 2024

Microsoft initiative in response to CSRB

May 4, 2024

Aruba fixes several Critical Vulnerabilities

May 3, 2024

Dropbox suffers a Data Breach

May 3, 2024

Gitlab CVE-2023-7028 added to CISA KEV Catalog

May 2, 2024

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – April, 2024

May 1, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading