Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This WordPress plugin with over a million installs had a major security flaw

WordPress logo

A popular plugin for the WordPress website builder with more than a million users was caught storing user passwords in plaintext, available for website admins to read whenever they pleased.

A report on Ars Technica found the plugin in question, called All-In-One-Security (AIOS), was installed on at least a million websites. 

Earlier this week, its developers confirmed the flaw, saying it was a bug in the plugin’s version 5.1.9. Now, there is version 5.2.0, and users are advised to update their plugin immediately. Besides stopping the plugin from saving user passwords in plaintext, the patch also “delets the problematic data from the database,” the developers said. 

Rogue admins

Speaking to Ars Technica via email, a representative of the company tried to play down the flaw, saying the passwords were only available for administrators. And when an admin goes rogue (or has their account stolen/compromised), that’s as big of an issue as they come: “gaining anything from this defect requires being logged in with the highest-level administrative privileges, or equivalent. i.e. It can be exploited by a rogue admin who can already do such things because he's an admin,” the email reads.

But no one should ever have access to anyone’s password. At the end of the day, hackers can try and use these passwords on other platforms and services, too. Many users go for the same login credentials across numerous services, and breaching one might mean breaching many.

Still, AIOS’ developers apologizerd for the mistake, and gave a few pointers on what admins should do next. That includes updating all WordPress plugins, enabling multi-factor authentication (MFA) if possible, and changing passwords regularly.

The latter, Ars Technica reminds, is no longer considered industry-standard, as some research determined that regular password changing can do more harm than good.

Via: Ars Technica

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.