The WordPress security plugin All-In-One Security (AIOS) created a security flaw of its own accord. Because of a bug, the tool collected passwords and stored them as plain text in a database.
AIOS for WordPress is installed on more than 1 million websites and provides security for WordPress websites. After an update in May this year, the tool appeared to be doing precisely what it was not supposed to do: compromise the security of WordPress websites.
A bug in the version 5.1.9 update unexpectedly caused users’ passwords of a Web site equipped with the plug-in to be stored as plain text in a database. Website administrators for these sites gained access to this database containing the passwords.
Administrators with the highest privilege and management rights could thus easily misuse these passwords for other (malicious) purposes.
Bug known for three weeks
The bug in the 5.1.9 release of AIOS came to light three weeks ago. On a WordPress forum, a user made the bug publically known and was concerned that it would be detrimental to him in a security review by compliance auditors.
AIOS disclosed that the bug was known and provided a script to remove the logged data. The user replied that unfortunately the script did not work.
AIOS has since fixed the bug and presented a new version 5.2.0. The developer urges users to install this latest version. They should also change their passwords regularly and apply 2FA authentication to their accounts and WordPress websites.
Also read: Hackers exploit zero-day in WordPress plugin Ultimate Member