All-In-One Security (AIOS), a WordPress plugin installed on over a million sites, has issued a security update after a bug introduced in software version 5.1.9 caused user passwords to be added to the database in plain text format.
“Malicious site administrators (i.e. users already logged into the site as admins) can then read them,” UpdraftPlus, AIOS maintainer, said.
“This would be a problem if the site’s administrator tries the password on another service where your users might be using the same password. If the login for that other service is not protected by two-factor authentication, this could be a risk for the affected website.”
The problem appeared almost three weeks ago when a plugin user reported behavior, stating they were “absolutely shocked that a security plugin threw a basic security error 101.”
AIOS also notes that the update deletes existing log data from the database, but successful exploitation requires a threat actor to have compromised the WordPress site in other ways and have administrative privileges, or gain unauthorized access to the site’s unencrypted backup.
“Thus, the chance of someone getting a privilege they don’t already have is slim,” the company said. “Patched version stops passwords from being logged, and deletes all previously saved passwords.”
As a precaution, it is recommended that users enable two-factor authentication in WordPress and change the password, especially if the same credential combination has been used on another site.
The disclosure comes as Wordfence discloses a critical flaw impacting WPEverest user registration plugin (CVE-2023-3342, CVSS score: 9.9) that has over 60,000 active installations. The vulnerability has been addressed in version 22.214.171.124.
“This vulnerability allows an authenticated attacker with minimal permissions, such as a customer, to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server,” Wordfence researcher István Márton said.