All-In-One Security (AIOS) 5.2.0 Release
The latest version of AIOS (All-In-One-Security), the WordPress Security Plugin from TeamUpdraft, addresses a critical issue from version 5.1.9.
Key changes
Section titled Key changesIssue Fixed: AIOS release 5.2.0 and subsequent updates resolve a bug from version 5.1.9 that caused users’ passwords to be stored in plain text within the WordPress database. This vulnerability allowed a malicious site administrator (already logged in as an admin) to potentially read these passwords. If these passwords were used on other services, and those services lacked two-factor authentication, it posed a risk to the affected website.
Resolution: The problem was identified and fixed in version 5.2.0 and all later updates. These updates not only address the issue but also remove any previously logged passwords. The patched version ensures that passwords are no longer logged and clears any saved passwords from prior versions.
Security Considerations: For an attacker to access sensitive data, additional security flaws would need to be present. They would need access to the site database, which typically requires other security issues to be exploited (e.g., having an admin login or access to unencrypted backups). Thus, the risk of unauthorized privilege escalation is minimal.
Recommendations
Section titled RecommendationsWe apologize for this lapse and use this opportunity to reinforce key security practices to protect your website:
Keep Plugins Updated: Ensure that AIOS and all other plugins are up-to-date to patch vulnerabilities and enhance security. Check for updates within your WordPress dashboard and consider using a plugin like Easy Updates Manager to automate this process.
Regularly Change Passwords: Update all passwords frequently, particularly if you suspect they may have been compromised. This helps prevent unauthorized access and potential damage.
Enable Two-Factor Authentication (2FA): Activate 2FA on your accounts (both WordPress and other services) to add an extra layer of security. 2FA requires verification from a second device, making it significantly harder for attackers to gain access, even if they have your password. AIOS includes a 2FA module to secure your WordPress sites.
For a detailed overview of the most recent updates, please see the full changelog below.
Changelog
Section titled Changelog- SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the data), to know what site users’ passwords are. This information has limited value to them (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that “hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog description has been expanded in response to incorrect reports which suggested a much wider problem than exists (for example, they did not mention that the attacker needs to already be logged in as an admin to do access the log, or did not mention that upgrading to 5.2.0 deletes the problematic data from the database).
- SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
- Fix: After editing a file reset permissions back to the original permissions
- Fix: Corrected some broken links in the plugin
- Fix: Fatal error: cannot declare class
- Fix: Normalise all arguments in the stacktrace
- Fix: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
- Fix: Too many redirects error for forced logout users solved
- Tweak: For Cronjob, WP CLI and
AIOS_DISABLE_EXTERNAL_IP_ADDR
defined constant do not use external services for user IP addresses. Silencedapi.ipify.org
request failed warning. - Tweak: Reset password page missing translation and generate password button added for renamed login page
- Tweak: Added
aios_audit_log_event_user_ip
filter to allow filtering of IP addresses in the audit log - Tweak: Added action hook
aios_reset_all_settings
for reset all settings.
Tweak: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2
About the author

TeamUpdraft
Our team consists of WordPress developers, marketers, and industry experts committed to providing you with the resources and skills you need to succeed online. Whether you’re just starting out or seeking advanced strategies, we’re here to enhance your WordPress journey and support you at every stage.
Categories
AIOS
Comprehensive, feature-rich, security for WordPress. Malware scanning, firewall, an audit log and much more. Powerful, trusted and easy to use.
From just $70 for the year.
More stories
-
Three things to do this World Backup Day
This World Backup Day, take the time to ensure your website is protected. From automating backups to connecting to remote storage, these three steps will keep your data safe. Plus, enjoy a 10% discount on UpdraftPlus Premium for a limited time!
-
Same team, different name. Welcome to TeamUpdraft (for affiliates)
Attention affiliates! TeamUpdraft is here, combining UpdraftPlus, WP-Optimize, and AIOS. Explore new ways to earn with our unified brand.
-
Same team, different name. Welcome to TeamUpdraft
UpdraftPlus, WP-Optimize & AIOS are now under TeamUpdraft! Find out what’s changed, how to log in, and where to get support.
-
WP-Optimize release v4.0.0
WP-Optimize v4.0.0 is here! This update introduces JavaScript execution delay, minimum requirements changes, and performance improvements.