Security News > 2023 > July > WordPress AIOS plugin used by 1M sites logged plaintext passwords
The All-In-One Security WordPress security plugin, used by over a million WordPress sites, was found to be logging plaintext passwords from user login attempts to the site's database, putting account security at risk.
Roughly three weeks ago, a user reported that the AIOS v5.1.9 plugin was not only recording user login attempts to the aiowps audit log database table, used to track logins, logouts, and failed login events but also recording the inputted password.
Eventually, on July 11, the AIOS vendor released version 5.2.0, which includes a fix to prevent saving plaintext passwords and clears out old entries.
"AIOS release 5.2.0 and newer updates have fixed a bug in 5.1.9 which resulted in users' passwords being added to the WordPress database in plain text," reads the release announcement.
Apart from the malicious admin scenario, websites using AIOS would face elevated risk from hacker breaches, as a bad actor gaining access to the site's database could exfiltrate user passwords in plaintext form.
With WordPress a common target for threat actors, there is a chance that some of the sites using AIOS were compromised already, and considering that the issue has been circulated online for three weeks now, hackers have had plenty of opportunity to take advantage of the plugin's creator's slow response.