All-In-One Safety (AIOS), a WordPress plugin put in on over a million websites, has issued a safety replace after a bug launched in model 5.1.9 of the software program triggered customers’ passwords being added to the database in plaintext format.
“A malicious web site administrator (i.e. a consumer already logged into the positioning as an admin) may then have learn them,” UpdraftPlus, the maintainers of AIOS, mentioned.
“This could be an issue if these web site directors had been to check out these passwords on different providers the place your customers might need used the identical password. If these different providers’ logins should not protected by two-factor authentication, this may very well be a threat to the affected web site.”
The difficulty surfaced almost three weeks in the past when a consumer of the plugin reported the habits, stating they had been “completely shocked {that a} safety plugin is making such a fundamental safety 101 error.”
AIOS additionally famous that the updates take away the present logged knowledge from the database, however emphasised profitable exploitation requires a menace actor to have already compromised a WordPress web site by different means and have administrative privileges, or gained unauthorized entry to unencrypted web site backups.
“As such, the chance for somebody to realize privileges that they didn’t have already got, are small,” the corporate mentioned. “The patched model stops passwords from being logged, and clears all earlier saved passwords.”
As a precaution, it is advisable that customers allow two-factor authentication on WordPress and alter the passwords, significantly if the identical credential combos have been used on different websites.
The disclosure comes as Wordfence revealed a important flaw impacting WPEverest’s Consumer Registration plugin (CVE-2023-3342, CVSS rating: 9.9) that has over 60,000 lively installations. The vulnerability has been addressed in model 3.0.2.1.
“This vulnerability makes it attainable for an authenticated attacker with minimal permissions, comparable to a subscriber, to add arbitrary information, together with PHP information, and obtain distant code execution on a susceptible web site’s server,” Wordfence researcher István Márton mentioned.
