A WordPress security plugin has been found to have two vulnerabilities, potentially allowing malicious uploads, cross-site scripting, and access to arbitrary file contents.
All-In-One Security (AIOS) WordPress Plugin
The All-In-One Security (AIOS) WordPress plugin, created by the publishers of UpdraftPlus, provides security and firewall capabilities aimed at preventing hacker attacks.
It includes features such as log-in security to block attackers, plagiarism protection, hotlinking prevention, comment spam blocking, and a firewall that mitigates hacking threats. The plugin also promotes proactive security by alerting users to common mistakes, such as using the username "admin."
With over one million installations, AIOS is a highly popular security suite backed by one of the most trusted WordPress plugin publishers.
Two Vulnerabilities
The United States government’s National Vulnerability Database (NVD) has issued warnings about two specific vulnerabilities in the AIOS plugin.
1. Data Sanitization Failure
The first vulnerability is due to a data sanitization failure, particularly a failure to escape log files. Escaping data is a basic security measure that removes any sensitive data from outputs produced by a plugin. WordPress offers guidelines on how and when to perform this process to secure output data, preventing unwanted characters like malformed HTML or script tags from being included.
The NVD describes this vulnerability as follows:
"The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to insert malicious JavaScript code in bogus log files. This code will execute in the context of any administrator visiting this page."
2. Directory Traversal Vulnerability
The second vulnerability is a Path Traversal vulnerability. It allows attackers to exploit security weaknesses to access files that typically would be restricted. The Open Worldwide Application Security Project (OWASP) warns that such an attack might lead to the compromise of critical system files by exploiting file reference vulnerabilities.
The NVD elaborates on this vulnerability:
"The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not restrict which log files can be displayed on its settings pages. This flaw allows an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server, provided the web server has access. Only the last 50 lines of the file are displayed."
Both vulnerabilities require the attacker to have admin-level credentials, which complicates the exploitation process. Nonetheless, such vulnerabilities are unexpected in a security plugin.
Consider Updating the AIOS WordPress Plugin
AIOS has addressed these issues in version 5.1.6 of the plugin. Users are advised to update to at least version 5.1.6, with the latest version being 5.1.7, which also fixes a crash issue involving the firewall setup.
NVD Security Bulletins
- CVE-2023-0157: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
- CVE-2023-0156: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Featured image by Shutterstock/Kues
