WordPress Security Plugin AIOS Not Secure?!

Bleeping Computer revealed that the All-In-One Security (AIOS) WordPress plugin, used by over a million WordPress sites, was exposing user login passwords by logging them in plain text in the site's database. This practice could compromise account security.

WordPress Security Plugin AIOS Not Secure?!

AIOS, developed by Updraft, is marketed as an all-in-one solution mainly providing a web application firewall, content hardening, and login security tools for WordPress sites to block bots and prevent brute force attacks.

About three weeks ago, a user reported that AIOS v5.1.9 not only logged user login attempts to the aiowps_audit_log database table for tracking logins, logouts, and failed logins, but also recorded the passwords entered. The user was concerned this violated various security compliance standards including NIST 800-63, ISO 27000, and GDPR.

Cleartext passwords written to aiowps_audit_log
Source: WordPress

Initially, Updraft responded that the issue was a "known bug" and vaguely promised to fix it in the next release. However, after realizing the severity, Updraft support offered affected users an upcoming dev build two weeks ago. But users trying to install it noted the password logs were not removed.

What's Coming Up

The Fix Released

On July 11th, AIOS vendors released version 5.2.0, which included a fix to prevent saving passwords in plaintext and purging old entries. The vendors stressed in the announcement that 5.2.0 resolved an error in 5.1.9 that caused user passwords to be added to the WordPress database in plaintext.

This posed some security risks if a “malicious” site admin tried using the passwords on other services where users might reuse passwords. Also, if the exposed users' login info was not protected by two-factor authentication on those platforms, a "malicious" admin could easily take over user accounts.

Beyond risks from “malicious” admins, sites using AIOS would also be vulnerable to hackers gaining database access and potentially leaking user passwords in plaintext.

twitter of Security feature of the year goes to All-In-One Security (AIOS)
Source: Twitter

WordPress.org stats show only about a quarter of AIOS users have applied the 5.2.0 update, meaning roughly over 750,000 sites likely remain vulnerable.

Unfortunately, WordPress has long been a prime target for cyber attacks, and some AIOS sites may already be compromised. Plus, this security issue has been circulating for over three weeks without Updraft warning users of increased exposure. So security threats may have already occurred.

In summary, sites using AIOS should update to the latest version as soon as possible and require users to reset passwords.