Popular WordPress Security Plugin Caught Logging Plaintext Passwords

Cyber Security Threat Summary:
A popular WordPress plugin dubbed All-In-One Security (AIOS) was found to log plaintext passwords from login attempts. With over one million installs on WordPress sites, AIOS is a security and firewall plugin designed to log user activity and prevent cyberattacks such as brute-force attempts by warning admins when the default admin username is used for login. Approximately two weeks ago, user reports started coming in about an insecure design flaw in the plugin. In particular, AIOS version 5.1.9 writes plaintext passwords from login attempts to the data. Given that an actor gains access to a privileged user, they can view all of the login credentials of all other administrative users. In light of the reports, maintainers of the plugin released AIOS version 5.2.0 to address the issue. However, the update was reported as breaking sites and not removing the password logs, further requiring plugin maintainers to release another batch of updates, with version 5.2.1 of AIOS coming out on Wednesday.

Security Officer Comments:
Although developers of the plugin have not reported malicious use cases of the issue, users should reset their credentials as these could have been accessed by threat actors. Sometimes, the same credentials are reused for several platforms which is not a great cybersecurity measure as attackers can easily gain access to these platforms with little to no effort, especially if two-factor authentication is not enabled.

Suggested Correction(s):
"All-In-One Security (AIOS) users are advised to update their installations as soon as possible. Based on WordPress statistics, hundreds of thousands of websites are still running a vulnerable version of the plugin” (Security Week, 2023)

In general, administrators should rotate passwords on a frequent basis and implement multi-factor authentication whenever possible, as this adds an extra layer of protection.

Link(s):
https://www.securityweek.com/popular-wordpress-security-plugin-caught-logging-plaintext-passwords