The Information Highway

The Information Highway

Font size: +
3 minutes reading time (538 words)

WordPress AIOS plugin used by 1M sites logged plaintext passwords

The All-In-One Security (AIOS) WordPress security plugin, used by over a million WordPress sites, was found to be logging plaintext passwords from user login attempts to the site's database, putting account security at risk. 

AIOS is an all-in-one solution developed by Updraft, offering web application firewall, content protection, and login security tools for WordPress sites, promising to stop bots and prevent brute force attacks.

Roughly three weeks ago, a user reported that the AIOS v5.1.9 plugin was not only recording user login attempts to the aiowps_audit_log database table, used to track logins, logouts, and failed login events but also recording the inputted password. 

The user expressed concern that this activity violates multiple security compliance standards, including NIST 800-63 3, ISO 27000, and GDPR.


Initial report of the flaw (wordpress.org)


However, Updraft's support agent responded by saying it was a "known bug" and delivering a vague promise about a fix being available in the next release.

After realizing the criticality of the problem, the support offered development builds of the upcoming release to concerned users two weeks ago. Still, those attempting to install the development builds reported website problems and that the password logs weren't removed. 


Fix now available

Eventually, on July 11, the AIOS vendor released version 5.2.0, which includes a fix to prevent saving plaintext passwords and clears out old entries.

"AIOS release 5.2.0 and newer updates have fixed a bug in 5.1.9 which resulted in users' passwords being added to the WordPress database in plain text," reads the release announcement.

"This would be a problem if [malicious] site administrators were to try out those passwords on other services where your users might have used the same password."

If the exposed people's login details are not protected by two-factor authentication on these other platforms, rogue admins could easily take over their accounts.

Apart from the malicious admin scenario, websites using AIOS would face elevated risk from hacker breaches, as a bad actor gaining access to the site's database could exfiltrate user passwords in plaintext form. 


At the time of writing, WordPress.org stats show that roughly one-fourth of AIOS users have applied the update to 5.2.0, so more than 750,000 sites remain vulnerable.

Unfortunately, with WordPress a common target for threat actors, there is a chance that some of the sites using AIOS were compromised already, and considering that the issue has been circulated online for three weeks now, hackers have had plenty of opportunity to take advantage of the plugin's creator's slow response.

Also, it is unfortunate that at no point during the exposure period did Updraft warn its users about the elevated risk of exposure, advising them on what actions to take.

Websites using AIOS should now update to the latest version and ask users to reset their passwords.

Microsoft still unsure how hackers stole Azure AD ...
How does ChatGPT actually work?

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 14 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023