AIOS, an All-In-One Security WordPress plugin installed on more than one million websites, has issued a crucial security update after a bug introduced in version 5.1.9 of the software led to users' passwords being stored in plaintext format in the database.
UpdraftPlus, the maintainers of AIOS, stated that a malicious site administrator, who was already logged into the site as an admin, could potentially access these passwords. This could pose a risk if the site administrators attempted to use these passwords on other services where users may have used the same credentials, especially if those services do not have two-factor authentication in place.
The issue was first reported by a plugin user nearly three weeks ago, expressing surprise that a security plugin would make such a fundamental security error.
AIOS confirmed that the updates not only fix the password storage bug but also remove the previously logged passwords from the database. However, successful exploitation of the vulnerability would require the threat actor to have already compromised a WordPress site through other means and possess administrative privileges or unauthorized access to unencrypted site backups.
The company emphasized that the chances of an attacker gaining new privileges through this vulnerability are relatively low. The patched version of the plugin prevents passwords from being logged and clears any previously saved passwords.
To mitigate potential risks, it is strongly recommended that users enable two-factor authentication on their WordPress sites and change their passwords, particularly if the same credentials have been used on other platforms.
In a related disclosure, Wordfence recently uncovered a critical flaw affecting the User Registration plugin developed by WPEverest (CVE-2023-3342, CVSS score: 9.9). This plugin, with over 60,000 active installations, has addressed the vulnerability in version 3.0.2.1.
According to Wordfence researcher István Márton, the identified vulnerability enables an authenticated attacker with minimal permissions, such as a subscriber, to upload arbitrary files, including PHP files, and execute remote code on the vulnerable site's server.