All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users’ passwords being added to the database in plaintext format.
“A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them,” UpdraftPlus, the maintainers of AIOS, said.
The issue surfaced nearly three weeks ago when a user of the plugin reported the behavior, stating they were “absolutely shocked that a security plugin is making such a basic security 101 error.”
AIOS also noted that the updates remove the existing logged data from the database, but emphasized successful exploitation requires a threat actor to have already compromised a WordPress site by other means and have administrative privileges, or gained unauthorized access to unencrypted site backups.
As a precaution, it’s recommended that users enable two-factor authentication on WordPress and change the passwords, particularly if the same credential combinations have been used on other sites.
The disclosure comes as Wordfence revealed a critical flaw impacting WPEverest’s User Registration plugin (CVE-2023-3342, CVSS score: 9.9) that has over 60,000 active installations. The vulnerability has been addressed in version 3.0.2.1.
Source: https://thehackernews.com/
