Updraft has released a security update for AIOS (All-In-One-Security), fixing a risky behavior on the plugin that caused it to log user passwords in cleartext form on the database.
AIOS is a complete security suite plugin for WordPress websites, featuring anti-bot protection, WAF, and brute-force attack-resistant login tools. It has over 1,000,000 installations and is trusted by websites with high traffic.
Three weeks ago, it was revealed that the plugin follows the unsafe practice of logging user login attempts on the site’s database, storing unencrypted user passwords in log files. Those logs could have been accessed by administrator accounts on the site, like the owner, contracted web developers or designers, IT staff, content managers or editors, e-commerce managers, SEO managers, and others.
Any of those admin account holders could have unrestricted access to all passwords entered on the impacted websites and potentially use them on other platforms to take control of exposed user accounts.
Additionally, hackers leveraging flaws on other plugins or using compromised admin accounts whose credentials were brute-forced would have access to the entire passwords database for all members of the impacted website. Given the abundance of vulnerabilities in the WordPress ecosystem, finding an exploitable flaw that could be used for elevating privileges on a target website shouldn’t be too hard.
Updraft remained silent about the problem, apart from acknowledging its existence in a support discussion, and released version 5.2.0 earlier this week, which rectifies the problem. The plugin’s vendor says the latest update removes the existing logged data and does not create new logs that put people’s credentials at unnecessary risk.
However, not all users of the plugin have responded to the urgency of the situation, and the fact that Updraft has not communicated the problem with its users in the tone and dimension it deserves has not helped pick up the adoption of the latest version. So far, only 24% of AIOS users have moved to version 5.2, which means that hundreds of thousands of websites remain exposed to the risk of leaking plaintext passwords.
Websites using AIOS should upgrade to the latest version of the plugin immediately and then impose password resets on all users while informing them of the potential compromise of their credentials. This will protect exposed users from “password stuffing” attacks on other online platforms. Users can maximize protection to their accounts by using unique passwords on all online platforms and enabling multi-factor authentication when available.