All-In-One Security (AIOS) WordPress plugin vulnerabilities impact up to +1 million WordPress sites
WordPress security plugin was discovered to have two vulnerabilities that could allow a malicious upload, cross-site scripting, and allow viewing of contents of arbitrary files.
All-In-One Security (AIOS) WordPress Plugin
The All-In-One Security (AIOS) WordPress plugin, provided by the publishers of UpdraftPlus, offers security and firewall functionality designed to lock out hackers.
It offers log-in security protection that locks out attackers, plagiarism protection, block hotlinking, comment spam blocking, and a firewall that serves as a defense against hacking threats.
The plugin also enforces proactive security by alerting users to common mistakes like using the “admin” user name.
It’s a comprehensive security suite that’s backed by the makers of Updraft Plus, one of the most trusted WordPress plugin publishers.
These qualities make AIOS highly popular, with over one million WordPress installations.
The United States government National Vulnerability Database (NVD) published a pair of warnings about two vulnerabilities.
1. Data Sanitization Failure
The first vulnerability is due to a data sanitization failure, specifically a failure to escape log files.
Escaping data is a basic security process that strips any sensitive data from outputs generated by a plugin.
WordPress even has a developer page devoted to the topic, with examples of how to do it and when to do it.
2. Directory Traversal Vulnerability
The second vulnerability appears to be a Path Traversal vulnerability.
This vulnerability allows an attacker to exploit a security failure in order to access files that would not ordinarily be accessible.
The non-profit Open Worldwide Application Security Project (OWASP) warns that a successful attack could compromise critical system files.
“A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.
By manipulating variables that reference files with ‘dot-dot-slash (../)’ sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.”
The NVD describes this vulnerability:
“The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it’s settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access).
Consider Updating the AIOS WordPress Plugin
AIOS released a patch in version 5.1.6 of the plugin. Users may wish to consider updating to at least version 5.1.6, and possibly to the latest version, 5.1.7, which fixes a crash that occurs when the firewall is not set up.
Read the Two NVD Security Bulletins
CVE-2023-0157 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2023-0156 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)