AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext

July 14, 2023THNMorePassword Security / WordPress

All-In-One Security (AIOS), a WordPress plugin installed on over 1 million sites, had a bug introduced in version 5.1.9 of the software that caused user passwords to be added to the database in plain text. We have issued a security update because it caused

“A malicious site administrator (i.e. a user already logged into the site as an administrator) could read them,” said AIOS administrator UpdraftPlus. Said.

“This would be a problem if the site administrator tried that password on other services where the user might be using the same password. If logins for these other services are protected with two-factor authentication, If not, this could be dangerous for users.” Affected websites. ”

This issue surfaced nearly three weeks ago for users of the plugin. report They said they were “extremely shocked that a security plugin was causing such a basic security 101 error.”

AIOS also noted that the update would remove existing log data from its database, but for an exploit to be successful, the threat actor must have already compromised the WordPress site by other means and have administrative privileges. , stressed that they must have obtained unauthorized access to unencrypted site backups.

“Therefore, there is less opportunity for someone to gain privileges that they don’t already have,” the company said. “The patched version will stop recording passwords and clear all previously stored passwords.”

As a precaution, we recommend enabling two-factor authentication on WordPress and changing your password, especially if the same credential combination is used on other sites.

This disclosure follows Wordfence’s disclosure of a critical flaw affecting WPEverest. user registration A plugin with over 60,000 active installs (CVE-2023-3342, CVSS score: 9.9). This vulnerability has been resolved in version 3.0.2.1.

“This vulnerability allows an authenticated attacker with minimal privileges, such as a subscriber, to upload arbitrary files, including PHP files, and remotely execute code on the vulnerable site’s server. ,” said Wordfence researcher István Marton. Said.