The All-In-One Security (AIOS) plugin for WordPress, currently utilized by over a million websites, has recently released a security update. This move was necessitated by a bug in the version 5.1.9 of the software that added user passwords to the database in plaintext.
UpdraftPlus, the team behind AIOS, stated, “An ill-intentioned site administrator (i.e., a user already having site admin login access) could potentially read them.” They further elaborated, “This could create a significant issue if these administrators decide to try these passwords on other platforms where your users might have replicated the same password. If the logins for these other services aren’t safeguarded by two-factor authentication, it could pose a risk to the affected website.”
The problematic issue came to light about three weeks ago when a plugin user highlighted this behavior, expressing their shock by saying, “I am absolutely shocked that a security plugin is making such a basic security 101 error.”
AIOS stated that while the new updates will eliminate the logged data from the database, it’s important to note that a successful breach still necessitates an attacker to have already hacked a WordPress site via other methods and have admin privileges, or have unauthorized access to unencrypted site backups.
“The chances of someone gaining unauthorized privileges that they didn’t previously possess are slim,” the company assured. “The fixed version prevents passwords from being recorded and eliminates all previously stored passwords.”
As a safety measure, users are advised to activate two-factor authentication on WordPress and update their passwords, particularly if they’ve been using the same credential combinations across various sites.
This disclosure comes at a time when Wordfence has identified a critical flaw affecting the User Registration plugin from WPEverest (CVE-2023-3342, CVSS score: 9.9), boasting over 60,000 active installations. The vulnerability has been rectified in version 3.0.2.1.
István Márton, a researcher at Wordfence, cautioned, “This vulnerability allows an authenticated attacker with minimal permissions, like a subscriber, to upload any files, including PHP files, thereby enabling remote code execution on the server of a vulnerable site.”