1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • This WordPress plugin with over a million installs had a major se

    From TechnologyDaily@1337:1/100 to All on Fri Jul 14 11:45:03 2023
    This WordPress plugin with over a million installs had a major security flaw

    Date:
    Fri, 14 Jul 2023 10:29:36 +0000

    Description:
    Website admins could access a plain-text password database, reports found.

    FULL STORY ======================================================================

    A popular plugin for the WordPress website builder with more than a million users was caught storing user passwords in plaintext, available for website admins to read whenever they pleased.

    A report on Ars Technica found the plugin in question, called All-In-One-Security (AIOS), was installed on at least a million websites.

    Earlier this week, its developers confirmed the flaw, saying it was a bug in the plugins version 5.1.9. Now, there is version 5.2.0, and users are advised to update their plugin immediately. Besides stopping the plugin from saving user passwords in plaintext, the patch also delets the problematic data from the database, the developers said. Rogue admins

    Speaking to Ars Technica via email, a representative of the company tried to play down the flaw, saying the passwords were only available for administrators. And when an admin goes rogue (or has their account stolen/compromised), thats as big of an issue as they come: gaining anything from this defect requires being logged in with the highest-level administrative privileges, or equivalent. i.e. It can be exploited by a rogue admin who can already do such things because he's an admin, the email reads.

    But no one should ever have access to anyones password. At the end of the
    day, hackers can try and use these passwords on other platforms and services, too. Many users go for the same login credentials across numerous services, and breaching one might mean breaching many. Read more

    WordPress plugin exposes half a million sites to attack


    How to build a website for free: A guide to creating a site on a budget


    Check out the best ID theft protection out there

    Still, AIOS developers apologizerd for the mistake, and gave a few pointers
    on what admins should do next. That includes updating all WordPress plugins, enabling multi-factor authentication (MFA) if possible, and changing
    passwords regularly.

    The latter, Ars Technica reminds, is no longer considered industry-standard, as some research determined that regular password changing can do more harm than good. These are the best WordPress hosting services right now

    Via: Ars Technica



    ======================================================================
    Link to news story: https://www.techradar.com/pro/this-wordpress-plugin-with-over-a-million-instal ls-had-a-major-security-flaw


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)