A significant security flaw has been detected in the All-In-One Security (AIOS) WordPress plugin, which is utilized by over one million WordPress websites. The plugin was found to be logging plaintext passwords from user login attempts into the site’s database, thereby jeopardizing account security.
Around three weeks ago, a user noted that the AIOS v5.1.9 plugin was recording user login attempts and their passwords, violating several security compliance standards such as NIST 800-63 3, ISO 27000, and GDPR. Updraft, the plugin developer, initially responded by acknowledging the bug and promising a fix in the next release.
On July 11, Updraft released AIOS version 5.2.0, which prevents saving plaintext passwords and erases old entries. However, only about a quarter of AIOS users have updated to the new version, leaving over 750,000 sites still at risk.
It is recommended that websites using AIOS update to the latest version and prompt users to reset their passwords.
Source: https://www.bleepingcomputer.com/news/security/wordpress-aios-plugin-used-by-1m-sites-logged-plaintext-passwords/