WordPress security plugin installed on over 1 million sites stored passwords in plaintext

Popular WordPress plugin, All-In-One Security, which is a security plugin installed on over a million websites has issued a security update after a previous version was found to be storing plaintext passwords in its logs which were stored in a database. The vulnerability was reported a few weeks ago on the plugin forum support page. AIOS has released a blog post detailing the exact issue.

Essentially, each password was accidentally stored whenever a user logged into the site, once the plugin was active on the website. Version 5.2.0 fixes the bug, although earlier fixes were reported to be crashing some user websites leading to a newer release 5.2.1 which included a workaround to prevent conditions that were causing the crash.

Security recommendations typically encourage admins to never store passwords in plaintext, given how easy it is for hackers to access websites and steal data stored within them. By not encrypting the passwords, anyone who has a copy of the database has full access to copy and user the passwords. Because of password reuse, other websites may also be compromised once a password is stolen.

If you are using AIOS, we recommend installing the update immediately and test to ensure that they log deletion code provided by the AIOS developers is working as expected. If you suspect that your password might have been compromised due to this vulnerability, it is strongly recommended that you update that password immediately. As of today over 40% of sites were found to still be running an older unpatched version

Leave a Reply