WordPress safety plugin found to have two vulnerabilities that might enable a malicious add, cross-site scripting and permit viewing of contents of arbitrary information.
All-In-One Safety (AIOS) WordPress Plugin
The All-In-One Safety (AIOS) WordPress plugin, offered by the publishers of UpdraftPlus, affords safety and firewall performance designed to lock out hackers.
It affords log-in safety safety that locks out attackers, plagiarism safety, blocks hotlinking, remark spam blocking and a firewall that serves as a protection towards hacking threats.
The plugin additionally enforces proactive safety by alerting customers to widespread errors like utilizing the “admin” person title.
It’s a complete safety suite that’s backed by the makers of Updraft Plus, one of the crucial trusted WordPress plugin publishers.
These qualities make AIOS extremely fashionable, with over a million WordPress installations.
Two Vulnerabilities
The US authorities Nationwide Vulnerability Database (NVD) printed a pair of warnings about two vulnerabilities.
1. Information Sanitization Failure
The primary vulnerability is due to an information sanitization failure, particularly a failure to flee log information.
Escaping information is a primary safety course of that strips any delicate information from outputs generated by a plugin.
WordPress even has a developer web page dedicated to the subject, with examples of how you can do it and when to do it.
WordPress’ developer page on escaping outputs explains:
“Escaping output is the method of securing output information by stripping out undesirable information, like malformed HTML or script tags.
This course of helps safe your information previous to rendering it for the tip person.”
The NVD describes this vulnerability:
“The All-In-One Safety (AIOS) WordPress plugin earlier than 5.1.5 doesn’t escape the content material of log information earlier than outputting it to the plugin admin web page, permitting a licensed person (admin+) to plant bogus log information containing malicious JavaScript code that might be executed within the context of any administrator visiting this web page.”
2. Listing Traversal Vulnerability
The second vulnerability seems to be a Path Traversal vulnerability.
This vulnerability permits an attacker to use a safety failure with a purpose to entry information that will not ordinarily be accessible.
The non-profit Open Worldwide Application Security Project (OWASP) warns {that a} profitable assault may compromise crucial system information.
“A path traversal assault (also called listing traversal) goals to entry information and directories which might be saved exterior the online root folder.
By manipulating variables that reference information with ‘dot-dot-slash (../)’ sequences and its variations or through the use of absolute file paths, it could be potential to entry arbitrary information and directories saved on file system together with utility supply code or configuration and demanding system information.”
The NVD describes this vulnerability:
“The All-In-One Safety (AIOS) WordPress plugin earlier than 5.1.5 doesn’t restrict what log information to show in it’s settings pages, permitting a licensed person (admin+) to view the contents of arbitrary information and record directories wherever on the server (to which the online server has entry).
The plugin solely shows the final 50 traces of the file.”
Each vulnerabilities require that an attacker purchase admin degree credentials to use the assault, which could make it tougher for the assault to occur.
Nevertheless one expects a safety plugin to not have these sorts of preventable vulnerabilities.
Think about Updating the AIOS WordPress Plugin
AIOS launched a patch in model 5.1.6 of the plugin. Customers could want to think about updating to at the very least model 5.1.6, and probably to the most recent model, 5.1.7, which fixes a crash that happens when the firewall just isn’t arrange.
Learn the Two NVD Safety Bulletins
CVE-2023-0157 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2023-0156 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Featured picture by Shutterstock/Kues
