Security Intelligence
Loading table of contents...
At least one researcher is predicting large-scale exploitation of the popular All-In-One Security (AIOS) (version 5.1.9) security plugin for WordPress, after it was discovered logging plaintext passwords to a database used to track logins, logouts, and failed login attempts. This could allow website administrators with bad intentions to re-use these credentials on other online portals and potentially take over accounts. The flaw also motivates hackers to target websites using the affected plugin with the promise of a bounty of plaintext credentials should they be successful.
Besides these obvious security threats, the bug also violates several security compliance standards, such as NIST SP 800-63, ISO 27001, and the EU’s General Data Protection Regulation (GDPR), causing potential legal headaches for users that adhere to such frameworks.
AIOS, developed by Updraft, offers web application firewall (WAF), content protection, and login security tools for WordPress sites to help prevent bots and brute force attacks. AIOS has over one million active installations.
On July 11, 2023, three weeks after the initial discovery, Updraft released a new version of the plugin that no longer saves plaintext passwords and clears out old entries. WordPress.org stats show that one-fourth of AIOS users have applied the latest update, leaving more than 750,000 sites vulnerable.
Source: Bleeping Computer
Analysis
WordPress is a popular content management system due to its affordability, ease of use, and repository of nearly 60,000 plugins. Unfortunately, it’s also a popular target for threat actors looking for infrastructure to host malware or serve as part of their command and control (C2) networks, due to the plethora of plugins users can install into their WordPress applications that are often misconfigured and not regularly updated.
For example, just two weeks ago, WordPress advised its users to uninstall the popular Ultimate Member plugin until a patch was released to address a zero-day privilege escalation vulnerability. The flaw allowed threat actors to change their user meta value to define their role as an administrator, providing them with complete access to the site.
While it’s normal for a security application to track logins, logouts, and failed logins, this data is usually encoded, encrypted, masked, or tokenized so it’s useless to someone without the means to reverse such processes.
Mitigation
Field Effect strongly encourages users of the AIOS plugin to update to the latest version as soon as possible. Site admins should also ask their users to reset their passwords just in case a threat actor or rogue admin was able to collect them during the time they were exposed.
