WordPress Plugin Vulnerabilities

All-In-One Security (AIOS) – Security and Firewall < 5.2.0 - Insecure Storage of Password

Description

The plugin stores the password inside the database as plaintext allowing administrators to obtain access to user's passwords.

Affects Plugins

Plugin icon
all-in-one-wp-security-and-firewall
Fixed in 5.2.0

References

URL
https://aiosplugin.com/all-in-one-security-aios-wordpress-security-plugin-release-5-2-0/
URL
https://arstechnica.com/security/2023/07/wordpress-plugin-installed-on-1-million-sites-logged-plaintext-passwords/

Classification

Type
INSUFFICIENT CRYPTOGRAPHY
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-326
CVSS
4.5 (medium)

Miscellaneous

Verified
No
WPVDB ID
5ef1186b-7457-4fcd-96c4-e32a68c8ede2

Timeline

Publicly Published
2023-07-14 (about 2 years ago)
Added
2023-07-14 (about 2 years ago)
Last Updated
2023-07-14 (about 2 years ago)

Other

Published
Title
Published
2023-10-20
Title
SALESmanago < 3.2.5 - Log Injection via Weak Authentication Token
Published
2021-10-13
Title
Simple JWT Login < 3.3.0 - Insecure Password Creation
Published
2022-09-21
Title
Passster < 3.5.5.5.2 - Insecure Storage of Password
Published
2023-06-02
Title
User Email Verification for WooCommerce <= 3.5.0 - Authentication bypass via weak token generation
Published
2025-08-28
Title
Password Reset with Code < 0.0.17 - Insecure Password Reset Code Creation