All-In-One Security (AIOS), one of the popular WordPress plugins, released a patch after discovering that the plugin was logging plaintext passwords and storing them in a database accessible to website administrators.
The incident was caused by a bug introduced in version 5.1.9 of AIOS, released in May. The latest version, 5.2.0, was released to address the bug and delete the problematic data from the database.
According to the developers, the passwords were logged when users logged into a site that employed the plugin. While AIOS claims that exploiting this flaw requires high-level administrative privileges, security experts argue that storing passwords in plaintext represents a significant security risk.
For decades, industry professionals have strongly advised against storing passwords in plaintext because hackers can easily breach websites and access sensitive information. Instead, passwords should be stored using a cryptographic hash algorithm, which makes it extremely difficult for threat actors to reverse-engineer the passwords.
The bug responsible for logging plaintext passwords in AIOS was initially reported in a WordPress forum around three weeks ago. A user raised concerns about the flaw potentially causing the organisation to fail a forthcoming security review by third-party compliance auditors. In response, an AIOS representative acknowledged the bug, providing a script to clear the logged data. However, the user reported that the script did not successfully address the issue.
AIOS has since released version 5.2.0 to rectify the bug and issued an advisory emphasizing the importance of keeping plugins up to date to patch any identified vulnerabilities. Additionally, they advised users to change passwords regularly, especially if they suspect a compromise, and to enable two-factor authentication for enhanced security.
Users of AIOS are strongly urged to install the latest update as soon as possible and ensure that the log deletion process works effectively. In cases where users suspect their passwords may have been captured by a website using AIOS, they should promptly change their passwords on that site and consider changing passwords on other sites where the same password is used.