• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
aios wordpress plugin faces backlash for storing user passwords in

AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text

You are here: Home / General Cyber Security News / AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text
July 14, 2023

All-In-1 Security (AIOS), a WordPress plugin set up on above a person million web sites, has issued a security update just after a bug released in version 5.1.9 of the software package triggered users’ passwords currently being added to the database in plaintext format.

“A malicious web page administrator (i.e. a consumer already logged into the internet site as an admin) could then have read them,” UpdraftPlus, the maintainers of AIOS, explained.

“This would be a challenge if those web-site administrators were to consider out all those passwords on other providers where your end users may have applied the exact password. If people other services’ logins are not guarded by two-factor authentication, this could be a risk to the afflicted web-site.”

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The issue surfaced just about 3 weeks ago when a consumer of the plugin reported the behavior, stating they had been “absolutely stunned that a security plugin is earning this sort of a basic security 101 mistake.”

AIOS also famous that the updates take away the existing logged data from the databases, but emphasized profitable exploitation calls for a risk actor to have presently compromised a WordPress internet site by other signifies and have administrative privileges, or obtained unauthorized obtain to unencrypted web-site backups.

“As these types of, the opportunity for another person to attain privileges that they did not presently have, are tiny,” the organization said. “The patched version stops passwords from getting logged, and clears all preceding saved passwords.”

As a precaution, it truly is recommended that end users enable two-factor authentication on WordPress and transform the passwords, notably if the exact same credential mixtures have been utilized on other internet sites.

The disclosure arrives as Wordfence revealed a critical flaw impacting WPEverest’s Consumer Registration plugin (CVE-2023-3342, CVSS score: 9.9) that has about 60,000 energetic installations. The vulnerability has been dealt with in variation 3..2.1.

“This vulnerability makes it probable for an authenticated attacker with minimum permissions, these as a subscriber, to upload arbitrary files, together with PHP data files, and attain distant code execution on a vulnerable site’s server,” Wordfence researcher István Márton stated.

Found this write-up attention-grabbing? Stick to us on Twitter  and LinkedIn to read more exceptional material we article.


Some elements of this article are sourced from:
thehackernews.com

Previous Post: «teamtnt's cloud credential stealing campaign now targets azure and google TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud
Next Post: Defend Against Insider Threats: Join this Webinar on SaaS Security Posture Management defend against insider threats: join this webinar on saas security»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • CTEM is the New SOC: Shifting from Monitoring Alerts to Measuring Risk
  • Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
  • AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar
  • Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
  • Non-Human Identities: How to Address the Expanding Security Risk
  • ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Copyright © TheCyberSecurity.News, All Rights Reserved.