July 14, 2023THNMorePassword Security / WordPress

All-In-One Security (AIOS), a WordPress plugin installed on over 1 million sites, had a bug introduced in version 5.1.9 of the software that caused user passwords to be added to the database in plain text. We have issued a security update because it caused

“A malicious site administrator (i.e. a user already logged into the site as an administrator) could read them,” said AIOS administrator UpdraftPlus. Said.

“This would be a problem if the site administrator tried that password on other services where the user might be using the same password. If logins for these other services are protected with two-factor authentication, If not, this could be dangerous for users.” Affected websites. ”

This issue surfaced nearly three weeks ago for users of the plugin. report They said they were “extremely shocked that a security plugin was causing such a basic security 101 error.”

AIOS also noted that the update would remove existing log data from its database, but for an exploit to be successful, the threat actor must have already compromised the WordPress site by other means and have administrative privileges. , stressed that they must have obtained unauthorized access to unencrypted site backups.

“Therefore, there is less opportunity for someone to gain privileges that they don’t already have,” the company said. “The patched version will stop recording passwords and clear all previously stored passwords.”

As a precaution, we recommend enabling two-factor authentication on WordPress and changing your password, especially if the same credential combination is used on other sites.

This disclosure follows Wordfence’s disclosure of a critical flaw affecting WPEverest. user registration A plugin with over 60,000 active installs (CVE-2023-3342, CVSS score: 9.9). This vulnerability has been resolved in version

“This vulnerability allows an authenticated attacker with minimal privileges, such as a subscriber, to upload arbitrary files, including PHP files, and remotely execute code on the vulnerable site’s server. ,” said Wordfence researcher István Marton. Said.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog