Select Page

All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users’ passwords being added to the database in plaintext format.

“A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them,” UpdraftPlus, the maintainers of AIOS, said.

“This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services’ logins are not protected by two-factor authentication, this could be a risk to the affected website.”

The issue surfaced nearly three weeks ago when a user of the plugin reported the behavior, stating they were “absolutely shocked that a security plugin is making such a basic security 101 error.”

images from Hacker News