A popular plugin for the WordPress website builder with more than a million users was caught storing user passwords in plaintext, available for website admins to read whenever they pleased.
A report on Ars Technica found the plugin in question, called All-In-One-Security (AIOS), was installed on at least a million websites.
Earlier this week, its developers confirmed the flaw, saying it was a bug in the plugin’s version 5.1.9. Now, there is version 5.2.0, and users are advised to update their plugin immediately. Besides stopping the plugin from saving user passwords in plaintext, the patch also “delets the problematic data from the database,” the developers said.
Speaking to Ars Technica via email, a representative of the company tried to play down the flaw, saying the passwords were only available for administrators. And when an admin goes rogue (or has their account stolen/compromised), that’s as big of an issue as they come: “gaining anything from this defect requires being logged in with the highest-level administrative privileges, or equivalent. i.e. It can be exploited by a rogue admin who can already do such things because he’s an admin,” the email reads.
But no one should ever have access to anyone’s password. At the end of the day, hackers can try and use these passwords on other platforms and services, too. Many users go for the same login credentials across numerous services, and breaching one might mean breaching many.
Still, AIOS’ developers apologizerd for the mistake, and gave a few pointers on what admins should do next. That includes updating all WordPress plugins, enabling multi-factor authentication (MFA) if possible, and changing passwords regularly.
The latter, Ars Technica reminds, is no longer considered industry-standard, as some research determined that regular password changing can do more harm than good.
Via: Ars Technica