WordPress Security Plugin Vulnerability Affects +1 Million Sites

Apr 16, 2023 | SEO News Feeds | 0 comments



SEO Content Writing Service

WordPress security plugin discovered to have two vulnerabilities that could allow a malicious upload, cross-site scripting and allow viewing of contents of arbitrary files.

All-In-One Security (AIOS) WordPress Plugin

The All-In-One Security (AIOS) WordPress plugin, provided by the publishers of UpdraftPlus, offers security and firewall functionality designed to lock out hackers.

It offers log-in security protection that locks out attackers, plagiarism protection, blocks hotlinking, comment spam blocking and a firewall that serves as a defense against hacking threats.

The plugin also enforces proactive security by alerting users to common mistakes like using the “admin” user name.

It’s a comprehensive security suite that’s backed by the makers of Updraft Plus, one of the most trusted WordPress plugin publishers.

These qualities make AIOS highly popular, with over one million WordPress installations.

Two Vulnerabilities

The United States government National Vulnerability Database (NVD) published a pair of warnings about two vulnerabilities.

1.  Data Sanitization Failure

The first vulnerability is due to a data sanitization failure, specifically a failure to escape log files.

Escaping data is a basic security process that strips any sensitive data from outputs generated by a plugin.

WordPress even has a developer page devoted to the topic, with examples of how to do it and when to do it.

WordPress’ developer page on escaping outputs explains:

Attorney Websites For Sale 4ebusiness Media Group

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.

This process helps secure your data prior to rendering it for the end user.”

The NVD describes this vulnerability:

“The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.”

2. Directory Traversal Vulnerability

The second vulnerability appears to be a Path Traversal vulnerability.

This vulnerability allows an attacker to exploit a security failure in order to access files that would not ordinarily be accessible.

The non-profit Open Worldwide Application Security Project (OWASP) warns that a successful attack could compromise critical system files.

“A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.

By manipulating variables that reference files with ‘dot-dot-slash (../)’ sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.”

The NVD describes this vulnerability:

“The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to display in it’s settings pages, allowing an authorized user (admin+) to view the contents of arbitrary files and list directories anywhere on the server (to which the web server has access).

The plugin only displays the last 50 lines of the file.”

Both vulnerabilities require that an attacker acquire admin level credentials to exploit the attack, which might make it harder for the attack to happen.

However one expects a security plugin to not have these kinds of preventable vulnerabilities.

Consider Updating the AIOS WordPress Plugin

AIOS released a patch in version 5.1.6 of the plugin. Users may wish to consider updating to at least version 5.1.6, and possibly to the latest version, 5.1.7, which fixes a crash that occurs when the firewall is not set up.

Read the Two NVD Security Bulletins

CVE-2023-0157 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

CVE-2023-0156 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Featured image by Shutterstock/Kues

Source link


Anxiety Stress Management

Live a Life of Contentment eBook We all want to be satisfied, even though we know some people who will never be that way, and others who see satisfaction as a foreign emotion that they can’t hope to ever feel.

Newspaper Ads Canyon Crest CA

Click To See Full Page Ads

Click To See Half Page Ads

Click To See Quarter Page Ads

Click To See Business Card Size Ads

If you have questions before you order, give me a call @ 951-235-3518 or email @ canyoncrestnewspaper@gmail.com Like us on Facebook Here

You May Also Like

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Contact Us

Contact Us

Personal Injury Attorney

Websites For Sale Personal Injury Attorneys

Criminal Defense Attorneys

Websites For Sale Criminal Defense Attorney

Bankruptcy Attorneys

Websites For Sale Bankruptcy Attorneys

General Practice Attorneys

Websites For Sale General Practice Attorneys

Family Attorneys

Websites For Sale Family Attorneys

Corporate Attorneys

Websites For Sale Corporate Attorneys

4ebusiness Media Group

Our web agency is based in Riverside, CA since 2010. With a team of creative web developers and marketers, we have been providing high-quality, fast and affordable websites for small businesses.

QUICK LINKS

• About Us

• Our Services

• Contact

• Blog

CONTACT 

Phone number

(951) 235-3518

EMAIL

service4ebusiness@gmail.com

OFFICE HOUR

Monday-Friday: 10:00 – 5:00 PST

Riverside, California

Saturday: Closed

Sunday: Closed

Holidays: Closed

Copyright 2024 – 4ebusiness Media Group All Rights Reserved.

Home Privacy Policy Terms Of Use Anti Spam Policy Contact Us Affiliate Disclosure Amazon Affiliate Disclaimer DMCA Earnings Disclaimer