The All-In-One Security (AIOS) WordPress plugin, a security tool created by the publishers of UpdraftPlus, has been found to have two vulnerabilities. These security flaws may potentially allow malicious uploads, cross-site scripting, and unauthorized access to file contents.<\/p>\n\n\n\n
AIOS offers various security features, such as login protection, plagiarism prevention, hotlink blocking, spam comment filtering, and a firewall against hacking attempts. With over a million installations, it is a widely-used WordPress plugin.<\/p>\n\n\n\n
Recently, the US National Vulnerability Database (NVD) issued warnings about two vulnerabilities in the plugin:<\/p>\n\n\n\n
Data Sanitization Failure: The first issue is a failure to remove sensitive data from log files. This basic security measure, called “escaping data,” prevents unwanted data like malicious HTML or script tags from appearing in the output. The NVD states that an attacker with admin access can plant false log files with harmful JavaScript code, which will execute when an administrator visits the plugin admin page.<\/p>\n\n\n\n
Path Traversal Vulnerability: The second issue allows an attacker to exploit a security weakness and access files that should be inaccessible. By manipulating file references with “..\/” sequences or using absolute file paths, it’s possible to access sensitive files on the system. The NVD explains that an attacker with admin access can view the contents of any file on the server and list directories.<\/p>\n\n\n\n
Although both vulnerabilities require admin-level credentials to be exploited, it is concerning that a security plugin has these preventable issues.<\/p>\n\n\n\n
AIOS has released a patch (version 5.1.6) to address these vulnerabilities. Users should consider updating to at least version 5.1.6 or the latest version, 5.1.7, which fixes a crash related to the firewall setup.<\/p>\n","protected":false},"excerpt":{"rendered":"