All-In-One Security (AIOS) 5.2.0 Release

The latest version of AIOS (All-In-One-Security), the WordPress Security Plugin from TeamUpdraft, addresses a critical issue from version 5.1.9.

Issue Fixed: AIOS release 5.2.0 and subsequent updates resolve a bug from version 5.1.9 that caused users’ passwords to be stored in plain text within the WordPress database. This vulnerability allowed a malicious site administrator (already logged in as an admin) to potentially read these passwords. If these passwords were used on other services, and those services lacked two-factor authentication, it posed a risk to the affected website.

Resolution: The problem was identified and fixed in version 5.2.0 and all later updates. These updates not only address the issue but also remove any previously logged passwords. The patched version ensures that passwords are no longer logged and clears any saved passwords from prior versions.

Security Considerations: For an attacker to access sensitive data, additional security flaws would need to be present. They would need access to the site database, which typically requires other security issues to be exploited (e.g., having an admin login or access to unencrypted backups). Thus, the risk of unauthorized privilege escalation is minimal.

We apologize for this lapse and use this opportunity to reinforce key security practices to protect your website:

Keep Plugins Updated: Ensure that AIOS and all other plugins are up-to-date to patch vulnerabilities and enhance security. Check for updates within your WordPress dashboard and consider using a plugin like Easy Updates Manager to automate this process.

Regularly Change Passwords: Update all passwords frequently, particularly if you suspect they may have been compromised. This helps prevent unauthorized access and potential damage.

Enable Two-Factor Authentication (2FA): Activate 2FA on your accounts (both WordPress and other services) to add an extra layer of security. 2FA requires verification from a second device, making it significantly harder for attackers to gain access, even if they have your password. AIOS includes a 2FA module to secure your WordPress sites.

For a detailed overview of the most recent updates, please see the full changelog below.

• SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the data), to know what site users’ passwords are. This information has limited value to them (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that “hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog description has been expanded in response to incorrect reports which suggested a much wider problem than exists (for example, they did not mention that the attacker needs to already be logged in as an admin to do access the log, or did not mention that upgrading to 5.2.0 deletes the problematic data from the database).
• SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
• Fix: After editing a file reset permissions back to the original permissions
• Fix: Corrected some broken links in the plugin
• Fix: Fatal error: cannot declare class
• Fix: Normalise all arguments in the stacktrace
• Fix: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
• Fix: Too many redirects error for forced logout users solved
• Tweak: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
• Tweak: Reset password page missing translation and generate password button added for renamed login page
• Tweak: Added aios_audit_log_event_user_ip filter to allow filtering of IP addresses in the audit log
• Tweak: Added action hook aios_reset_all_settings for reset all settings.
  Tweak: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2