All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0.
In a post titled “Cleartext passwords written to aiowps_audit_log” published to the plugin’s support forum two weeks and five days ago, @c0ntr07 reported the issue:
I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)
How can I stop the logging of clear text passwords?
How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?
A support representative from AIOS confirmed that it was a known bug in the last release and offered a development copy of a zip file with a fix. It took more than two weeks for the patch to be published.
In version 5.2.0, released on July 10, 2023, AIOS included the following security updates in the plugin’s changelog:
- SECURITY: Remove authentication data from the stacktrace before saving to the database
- SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
Users are advised to update to version 5.2.0+ immediately in order to secure their sites. At the time of publishing, almost no users have updated to 5.2.0+, leaving hundreds of thousands of users who are running 5.1.9 still vulnerable.
“So far the developer haven’t even told the users to change all passwords,” Patchstack CEO Oliver Sild said in response to the issue on Twitter. “Due to the scale, we will 100% see hackers harvest the credentials from the logs of compromised sites that run (or has run) this plugin.
“We have also sent out vulnerability alert to all Patchstack users. Hopefully the Updraft team will do the same and will tell their security plugin users to clean those logs ASAP and ask all the site users to change the passwords where ever they used the same combinations.”
