Security News > 2023 > July > AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext

All-In-One Security, a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format.

"This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website."

The issue surfaced nearly three weeks ago when a user of the plugin reported the behavior, stating they were "Absolutely shocked that a security plugin is making such a basic security 101 error."

AIOS also noted that the updates remove the existing logged data from the database, but emphasized successful exploitation requires a threat actor to have already compromised a WordPress site by other means and have administrative privileges, or gained unauthorized access to unencrypted site backups.

"The patched version stops passwords from being logged, and clears all previous saved passwords."

As a precaution, it's recommended that users enable two-factor authentication on WordPress and change the passwords, particularly if the same credential combinations have been used on other sites.

News URL

https://thehackernews.com/2023/07/aios-wordpress-plugin-faces-backlash.html