• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
aios wordpress plugin faces backlash for storing user passwords in

AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text

You are here: Home / General Cyber Security News / AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text
July 14, 2023

All-In-1 Security (AIOS), a WordPress plugin set up on above a person million web sites, has issued a security update just after a bug released in version 5.1.9 of the software package triggered users’ passwords currently being added to the database in plaintext format.

“A malicious web page administrator (i.e. a consumer already logged into the internet site as an admin) could then have read them,” UpdraftPlus, the maintainers of AIOS, explained.

“This would be a challenge if those web-site administrators were to consider out all those passwords on other providers where your end users may have applied the exact password. If people other services’ logins are not guarded by two-factor authentication, this could be a risk to the afflicted web-site.”

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


The issue surfaced just about 3 weeks ago when a consumer of the plugin reported the behavior, stating they had been “absolutely stunned that a security plugin is earning this sort of a basic security 101 mistake.”

AIOS also famous that the updates take away the existing logged data from the databases, but emphasized profitable exploitation calls for a risk actor to have presently compromised a WordPress internet site by other signifies and have administrative privileges, or obtained unauthorized obtain to unencrypted web-site backups.

“As these types of, the opportunity for another person to attain privileges that they did not presently have, are tiny,” the organization said. “The patched version stops passwords from getting logged, and clears all preceding saved passwords.”

As a precaution, it truly is recommended that end users enable two-factor authentication on WordPress and transform the passwords, notably if the exact same credential mixtures have been utilized on other internet sites.

The disclosure arrives as Wordfence revealed a critical flaw impacting WPEverest’s Consumer Registration plugin (CVE-2023-3342, CVSS score: 9.9) that has about 60,000 energetic installations. The vulnerability has been dealt with in variation 3..2.1.

“This vulnerability makes it probable for an authenticated attacker with minimum permissions, these as a subscriber, to upload arbitrary files, together with PHP data files, and attain distant code execution on a vulnerable site’s server,” Wordfence researcher István Márton stated.

Found this write-up attention-grabbing? Stick to us on Twitter  and LinkedIn to read more exceptional material we article.


Some elements of this article are sourced from:
thehackernews.com

Previous Post: «teamtnt's cloud credential stealing campaign now targets azure and google TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud
Next Post: Defend Against Insider Threats: Join this Webinar on SaaS Security Posture Management defend against insider threats: join this webinar on saas security»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia
  • Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats
  • Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan
  • Discover How Gcore Thwarted Powerful 1.1Tbps and 1.6Tbps DDoS Attacks
  • WhatsApp’s New Secret Code Feature Lets Users Protect Private Chats with Password
  • U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign Agents
  • Zyxel Releases Patches to Fix 15 Flaws in NAS, Firewall, and AP Devices
  • Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws
  • Google Unveils RETVec – Gmail’s New Defense Against Spam and Malicious Emails
  • North Korea’s Lazarus Group Rakes in $3 Billion from Cryptocurrency Hacks

Copyright © TheCyberSecurity.News, All Rights Reserved.