All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0.
In a post titled “Cleartext passwords written to aiowps_audit_log” published to the plugin’s support forum two weeks and five days ago, @c0ntr07 reported the issue:
I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)
How can I stop the logging of clear text passwords?
How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?
A support representative from AIOS confirmed that it was a known bug in the last release and offered a development copy of a zip file with a fix. It took more than two weeks for the patch to be published.
In version 5.2.0, released on July 10, 2023, AIOS included the following security updates in the plugin’s changelog:
- SECURITY: Remove authentication data from the stacktrace before saving to the database
- SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
Users are advised to update to version 5.2.0+ immediately in order to secure their sites. At the time of publishing, almost no users have updated to 5.2.0+, leaving hundreds of thousands of users who are running 5.1.9 still vulnerable.
“So far the developer haven’t even told the users to change all passwords,” Patchstack CEO Oliver Sild said in response to the issue on Twitter. “Due to the scale, we will 100% see hackers harvest the credentials from the logs of compromised sites that run (or has run) this plugin.
“We have also sent out vulnerability alert to all Patchstack users. Hopefully the Updraft team will do the same and will tell their security plugin users to clean those logs ASAP and ask all the site users to change the passwords where ever they used the same combinations.”
Not sure what happened to the formatting of my first attempt…. here goes again….
Sincere apologies to all AIOS users for this bug.
The above piece omits to note that the passwords are exposed only to someone who can read a copy of the WordPress database, which means, a WordPress admin (or on a multisite install, the admin of a site can see data for their own site (not other sites)).
There’s no need to do that – if you’re running the current version of AIOS, then it wiped them upon update. The release took longer than we hoped to get out because of testing back-and-forth on the update task.
The WordPress security and journalism landscapes would be much improved if vendors of security products and journalists avoided hyperbolic inaccuracy, and stuck to accurate descriptions after verifying the actual situation before publishing. As per the above, in order to achieve this, the attacker would need admin-level access to harvest anything (i.e. the same level of access that would allow him to do anything that needs admin privileges on the site already), and the site owner would have to have not updated to the current AIOS release.
i.e. It’s an “admin-only” vulnerability. These aren’t desirable, of course, and hence we are genuinely sorry to all our users for its existence. But if you have admins on your site who are hostile attackers, you also need to fix that situation too, as you’ll still be vulnerable to many other problems after updating AIOS (e.g. your hostile admin could add or remove plugins or users, export data, etc etc; and if they’re not on multisite a regular admin can do anything and everything, so it’s not a privilege escalation at all).