Updraft, the developer of the WordPress All-In-One Security (AIOS) plugin used by millions of WordPress sites, reported an insecure protocol and advised entrepreneurs building sites on the platform to update the system. It turned out that the plugin logs text passwords when a user tries to log into the site’s database, putting account security at risk.
The first reports of a possible problem appeared about three weeks ago, recalls The Bleeping Compter. At that time, a user reported that the AIOS plugin version 5.1.9 not only logs user login attempts to the aiowps_audit_log database table used to track logins, logouts, and login events. failed, but also logs the password entered.
The user expressed concern and reported that this approach violates numerous security compliance standards, including NIST 800-63 3, ISO 27000, and GDPR.
However, an Updraft support representative responded by saying that it was a “known bug” and vaguely promised that a fix would be available in a future release.
Realizing the severity of the problem, the AIOS vendor has finally released version 5.2.0 of the plugin, which includes a fix to prevent plaintext passwords from being stored and remove old entries.
“The new version of AIOS fixes a bug that caused user passwords to be added to the WordPress database in plain text,” reads an announcement on the developer’s website.
“It would be a problem if the administrators [вредоносных] the sites tried to use the passwords entered in other services where users could use the same set of characters.
In addition to the malicious administration scenario, websites using AIOS face a higher risk of being hacked because an attacker who gains access to the site’s database can leak user passwords in clear text.
Stats from WordPress.org show that at the moment about a quarter of AIOS users have already updated the plugin to version 5.2.0, at least 750 thousand sites are still vulnerable.
To prevent hackers from taking advantage of this issue, the developer recommends updating the AIOS plugin to the latest version and resetting your old passwords.
Author:
Ekaterina Alipova
Source: RB
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.