WordPress Plugin Vulnerabilities

All-In-One Security (AIOS) – Security and Firewall < 5.2.0 - Insecure Storage of Password

Description

The plugin stores the password inside the database as plaintext allowing administrators to obtain access to user's passwords.

Affects Plugins

Plugin icon
all-in-one-wp-security-and-firewall
Fixed in 5.2.0

References

URL
https://aiosplugin.com/all-in-one-security-aios-wordpress-security-plugin-release-5-2-0/
URL
https://arstechnica.com/security/2023/07/wordpress-plugin-installed-on-1-million-sites-logged-plaintext-passwords/

Classification

Type
INSUFFICIENT CRYPTOGRAPHY
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-326
CVSS
4.5 (medium)

Miscellaneous

Verified
No
WPVDB ID
5ef1186b-7457-4fcd-96c4-e32a68c8ede2

Timeline

Publicly Published
2023-07-14 (about 10 months ago)
Added
2023-07-14 (about 10 months ago)
Last Updated
2023-07-14 (about 10 months ago)

Other

Published
Title
Published
2022-03-16
Title
Download Manager < 3.2.39 - Unauthenticated brute force of files master key
Published
2021-10-13
Title
Simple JWT Login < 3.3.0 - Insecure Password Creation
Published
2023-06-06
Title
Abandoned Cart Lite for WooCommerce < 5.15.0 - Authentication Bypass
Published
2022-09-21
Title
Passster < 3.5.5.5.2 - Insecure Storage of Password
Published
2023-11-21
Title
UserPro < 5.1.2 - Insecure Password Reset Mechanism