All-In-1 Security (AIOS), a WordPress plugin set up on above a person million web sites, has issued a security update just after a bug released in version 5.1.9 of the software package triggered users’ passwords currently being added to the database in plaintext format.
“A malicious web page administrator (i.e. a consumer already logged into the internet site as an admin) could then have read them,” UpdraftPlus, the maintainers of AIOS, explained.
“This would be a challenge if those web-site administrators were to consider out all those passwords on other providers where your end users may have applied the exact password. If people other services’ logins are not guarded by two-factor authentication, this could be a risk to the afflicted web-site.”
The issue surfaced just about 3 weeks ago when a consumer of the plugin reported the behavior, stating they had been “absolutely stunned that a security plugin is earning this sort of a basic security 101 mistake.”
AIOS also famous that the updates take away the existing logged data from the databases, but emphasized profitable exploitation calls for a risk actor to have presently compromised a WordPress internet site by other signifies and have administrative privileges, or obtained unauthorized obtain to unencrypted web-site backups.
“As these types of, the opportunity for another person to attain privileges that they did not presently have, are tiny,” the organization said. “The patched version stops passwords from getting logged, and clears all preceding saved passwords.”
As a precaution, it truly is recommended that end users enable two-factor authentication on WordPress and transform the passwords, notably if the exact same credential mixtures have been utilized on other internet sites.
The disclosure arrives as Wordfence revealed a critical flaw impacting WPEverest’s Consumer Registration plugin (CVE-2023-3342, CVSS score: 9.9) that has about 60,000 energetic installations. The vulnerability has been dealt with in variation 3..2.1.
“This vulnerability makes it probable for an authenticated attacker with minimum permissions, these as a subscriber, to upload arbitrary files, together with PHP data files, and attain distant code execution on a vulnerable site’s server,” Wordfence researcher István Márton stated.
Found this write-up attention-grabbing? Stick to us on Twitter and LinkedIn to read more exceptional material we article.
Some elements of this article are sourced from: