WordPress Security Plugin Vulnerability Affects +1 Million Sites
- News
- April 11, 2023
- No Comment
- 198
[ad_1]
WordPress safety plugin found to have two vulnerabilities that might permit a malicious add, cross-site scripting and permit viewing of contents of arbitrary recordsdata.
All-In-One Safety (AIOS) WordPress Plugin
The All-In-One Safety (AIOS) WordPress plugin, offered by the publishers of UpdraftPlus, affords safety and firewall performance designed to lock out hackers.
It affords log-in safety safety that locks out attackers, plagiarism safety, blocks hotlinking, remark spam blocking and a firewall that serves as a protection towards hacking threats.
The plugin additionally enforces proactive safety by alerting customers to frequent errors like utilizing the “admin” consumer title.
It’s a complete safety suite that’s backed by the makers of Updraft Plus, one of the trusted WordPress plugin publishers.
These qualities make AIOS extremely well-liked, with over a million WordPress installations.
Two Vulnerabilities
The US authorities Nationwide Vulnerability Database (NVD) printed a pair of warnings about two vulnerabilities.
1. Information Sanitization Failure
The primary vulnerability is due to a knowledge sanitization failure, particularly a failure to flee log recordsdata.
Escaping knowledge is a primary safety course of that strips any delicate knowledge from outputs generated by a plugin.
WordPress even has a developer web page dedicated to the subject, with examples of the way to do it and when to do it.
WordPress’ developer page on escaping outputs explains:
“Escaping output is the method of securing output knowledge by stripping out undesirable knowledge, like malformed HTML or script tags.
This course of helps safe your knowledge previous to rendering it for the tip consumer.”
The NVD describes this vulnerability:
“The All-In-One Safety (AIOS) WordPress plugin earlier than 5.1.5 doesn’t escape the content material of log recordsdata earlier than outputting it to the plugin admin web page, permitting a certified consumer (admin+) to plant bogus log recordsdata containing malicious JavaScript code that might be executed within the context of any administrator visiting this web page.”
2. Listing Traversal Vulnerability
The second vulnerability seems to be a Path Traversal vulnerability.
This vulnerability permits an attacker to use a safety failure with a purpose to entry recordsdata that will not ordinarily be accessible.
The non-profit Open Worldwide Application Security Project (OWASP) warns {that a} profitable assault may compromise essential system recordsdata.
“A path traversal assault (also referred to as listing traversal) goals to entry recordsdata and directories which can be saved outdoors the net root folder.
By manipulating variables that reference recordsdata with ‘dot-dot-slash (../)’ sequences and its variations or by utilizing absolute file paths, it could be doable to entry arbitrary recordsdata and directories saved on file system together with utility supply code or configuration and important system recordsdata.”
The NVD describes this vulnerability:
“The All-In-One Safety (AIOS) WordPress plugin earlier than 5.1.5 doesn’t restrict what log recordsdata to show in it’s settings pages, permitting a certified consumer (admin+) to view the contents of arbitrary recordsdata and checklist directories anyplace on the server (to which the net server has entry).
The plugin solely shows the final 50 traces of the file.”
Each vulnerabilities require that an attacker purchase admin stage credentials to use the assault, which could make it tougher for the assault to occur.
Nevertheless one expects a safety plugin to not have these sorts of preventable vulnerabilities.
Contemplate Updating the AIOS WordPress Plugin
AIOS launched a patch in model 5.1.6 of the plugin. Customers might want to contemplate updating to no less than model 5.1.6, and probably to the newest model, 5.1.7, which fixes a crash that happens when the firewall will not be arrange.
Learn the Two NVD Safety Bulletins
CVE-2023-0157 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2023-0156 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Featured picture by Shutterstock/Kues
window.addEventListener( 'load2', function() console.log('load_fin');
if( sopp != 'yes' && !window.ss_u )
!function(f,b,e,v,n,t,s) if(f.fbq)return;n=f.fbq=function()n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments); if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)(window,document,'script', 'https://connect.facebook.net/en_US/fbevents.js');
if( typeof sopp !== "undefined" && sopp === 'yes' ) fbq('dataProcessingOptions', ['LDU'], 1, 1000); else fbq('dataProcessingOptions', []);
fbq('init', '1321385257908563');
fbq('track', 'PageView');
fbq('trackSingle', '1321385257908563', 'ViewContent', content_name: 'wordpress-security-plugin-vulnerability', content_category: 'news wp' );
);
[ad_2]
Source link