The All-In-One Security (AIOS) WordPress plugin, a security tool created by the publishers of UpdraftPlus, has been found to have two vulnerabilities. These security flaws may potentially allow malicious uploads, cross-site scripting, and unauthorized access to file contents.
AIOS offers various security features, such as login protection, plagiarism prevention, hotlink blocking, spam comment filtering, and a firewall against hacking attempts. With over a million installations, it is a widely-used WordPress plugin.
Recently, the US National Vulnerability Database (NVD) issued warnings about two vulnerabilities in the plugin:
Path Traversal Vulnerability: The second issue allows an attacker to exploit a security weakness and access files that should be inaccessible. By manipulating file references with “../” sequences or using absolute file paths, it’s possible to access sensitive files on the system. The NVD explains that an attacker with admin access can view the contents of any file on the server and list directories.
Although both vulnerabilities require admin-level credentials to be exploited, it is concerning that a security plugin has these preventable issues.
AIOS has released a patch (version 5.1.6) to address these vulnerabilities. Users should consider updating to at least version 5.1.6 or the latest version, 5.1.7, which fixes a crash related to the firewall setup.