Massive Security Breach: 1 Million+ Websites Exposed to Password Theft by Popular WordPress Plugin

Crowds of fun-seekers exploring a city on foot, "

Arjan Franzen

17 July 2023

In a shocking revelation that has sent shockwaves through the WordPress community, All-In-One Security (AIOS), a widely used WordPress security plugin installed on over 1 million websites, has been caught red-handed logging plaintext passwords and storing them in an accessible database. This major security breach, discovered three weeks ago, has raised serious concerns about the vulnerability of countless websites relying on AIOS for protection.

"Chicken Salad Chick logo: I only store passwords in WordPress plugins -

Plain text passwords?

According to the developer of AIOS, the password logging occurred when users logged into sites that installed the plugin. This alarming practice was traced back to a bug introduced in the previous version, 5.1.9, which went undetected until now. However, the developer swiftly addressed the issue with the release of version 5.2.0, ensuring that the bug was fixed and all compromised data was permanently deleted from the database. It's important to note that the exposed database was accessible only to website administrators.

Oldfields Hall Middle School logo w/ AIOS: "Secure futures

While AIOS claims that exploiting the defect requires the highest-level administrative privileges, security experts strongly caution against storing passwords in plaintext, irrespective of accessibility levels. Storing passwords in plaintext has long been regarded as a significant security lapse, as hackers have consistently exploited such vulnerabilities over the years to gain unauthorised access to sensitive data. Best practices dictate that passwords should be stored as cryptographic hashes generated through slow algorithms that make cracking them time-consuming and resource-intensive.

It is essential to safeguard user passwords by employing strong, randomly generated passwords unique to each website. This security measure significantly mitigates the risk of threat actors successfully cracking hashed passwords, even in a database breach. While some larger services have implemented login systems that shield plaintext contents, many websites retain access to passwords briefly before converting them into hashed form.

Automattic logo with "W" text: powering the web together

The password logging bug initially appeared in a WordPress forum when a concerned user discovered the issue and feared failing an upcoming security review by third-party compliance auditors. An AIOS representative promptly acknowledged the bug and offered a script to clear the logged data. However, the user reported that the provided script failed to resolve the problem, raising further doubts about the plugin's reliability.

How to fix this?

This alarming incident highlights the importance of robust security measures for websites, especially when protecting user passwords. It serves as a reminder of the risks associated with relying on vulnerable plugins and the necessity of choosing reliable and secure solutions. ZEN Software's Content at any Scale (CaaS 🧀 ) offers a highly secure and extendable open-source cloud solution built on Open Source projects like Strapi and Next.js. With unparalleled security, scalability and performance, it eliminates the risks that PHP and WordPress Plugins pose. Ensuring a rock-solid foundation for your online presence.

"Flexera Software logo featuring "NEXT.JS" text for
background

Lightning-Fast Site, Awesome Conversion