The AIOS plugin for WordPress, which is used by more than one million websites, was discovered to be storing passwords in plain text format in the site’s database. This poses a significant risk to the security of user accounts.
The AIOS plugin, developed by Updraft, is designed to provide comprehensive security features such as a web application firewall, content protection, and login security measures. It aims to prevent unauthorized access and protect against brute force attacks.
A user recently reported that version 5.1.9 of the AIOS plugin was not only logging user login attempts in the aiowps_audit_log database table, which is intended for tracking login, logout, and failed login events, but also recording the actual passwords entered by users.
This raised concerns among users as this practice violates several security compliance standards, including NIST 800-63 3, ISO 27000, and GDPR.
In response, Updraft’s support agent acknowledged the issue as a “known bug” and vaguely promised that a fix would be included in the next release of the plugin.
Realizing the severity of the situation, the support team provided concerned users with development builds of the upcoming release two weeks ago. However, users who attempted to install these builds reported encountering website issues, and the logs containing passwords were not removed as expected.
Solution is now accessible to resolve the issue
On July 11, the AIOS vendor addressed the issue by releasing version 5.2.0, which includes a fix to prevent the storage of plaintext passwords and clears out any previously logged entries.
The release announcement states that AIOS version 5.2.0 and subsequent updates have resolved a bug present in version 5.1.9, which resulted in users’ passwords being saved in plain text format within the WordPress database. The announcement also highlights the potential risks associated with this vulnerability, particularly if site administrators with malicious intent try these passwords on other platforms where users may have reused them. Without additional security measures like two-factor authentication, unauthorized access to user accounts on other services becomes more likely.
In addition to the threat of rogue administrators, websites utilizing AIOS are exposed to a higher risk of hacker breaches. If an attacker gains access to the site’s database, they could easily extract user passwords in plaintext. As of now, WordPress.org statistics indicate that approximately one-fourth of AIOS users have updated to version 5.2.0, leaving more than 750,000 sites vulnerable.
Regrettably, given that WordPress is a common target for threat actors, there is a possibility that some sites using AIOS may have already been compromised. Moreover, considering that the issue has been publicly known for three weeks, hackers have had ample time to exploit the slow response from the plugin’s creators.
It is unfortunate that Updraft did not inform its users about the heightened risk of exposure during the period of vulnerability or provide guidance on necessary actions to mitigate the impact.
Websites employing AIOS should promptly update to the latest version and encourage users to reset their passwords as a precautionary measure.