WordPress Plugin Vulnerabilities

All In One WP Security < 5.2.5 - Protection Bypass of Renamed Login Page via URL Encoding

Description

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to protection bypass on the login page in all versions up to and including 5.2.4. This makes it possible for unauthenticated attackers to visit the login page in cases where it has been renamed by using URL Encoding to visit wp-login.php.

Affects Plugins

Plugin icon
all-in-one-wp-security-and-firewall
Fixed in 5.2.5

References

CVE
CVE-2023-52147
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/63fc381e-ce72-4c90-bb35-daba520be40d

Miscellaneous

Original Researcher
Naveen Muthusamy
Verified
No
WPVDB ID
d485b6d4-4bf3-4d97-a64c-019988ced5d4

Timeline

Publicly Published
2023-10-25 (about 2 years ago)
Added
2023-12-26 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2015-01-17
Title
Store Locator Plus 4.2.23 - Email Injection
Published
2014-08-01
Title
Image News Slider 3.3 - Unspecified Vulnerabilities
Published
2025-02-14
Title
Bit Assist < 1.5.3 - Subscriber+ Arbitrary File Read via fileID Parameter
Published
2014-04-28
Title
TinyMCE Color Picker 1.1 - tinymce-colorpicker.php Missing edit_others_posts Capability Check
Published
2025-03-11
Title
BP Email Assign Templates <= 1.6 - Missing Authorization to Authorization Bypass