The latest version of the WordPress Security Plugin from UpdraftPlus applies a fix to a bug introduced in version 5.1.9
AIOS release 5.2.0 and newer updates have fixed a bug in 5.1.9 which resulted in users’ passwords being added to the WordPress database in plain text. A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them. This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services’ logins are not protected by two-factor authentication, this could be a risk to the affected website.
The issue was flagged to us and rectified in version 5.2.0 and all newer updates – these updates also removed the existing logged data so that if you have updated, it is no longer there.
For the sensitive data to be accessed, other requirements involving further security problems would need to be met. A bad actor would need to gain access to the site database; this would require other security problems to exist (for example, the bad actor already has an administrator login on your site, or has gained access to unencrypted backups of your website.) As such, the opportunity for someone to gain privileges that they did not already have, are small.
The patched version stops passwords from being logged, and clears all previous saved passwords.
Website security best practices
This issue was important to rectify and we apologise for the lapse. We’d like to use it as an opportunity to remind you about best practices when securing your website in order to minimize the risk of a breach, or of a breach having serious consequences. If you are concerned about your website, you should implement the following protocol:
- Make sure that AIOS and any other plugins you use are up-to-date. This ensures that any vulnerabilities identified by developers or the community are patched, helping to keep your site secure. You can see which version of the plugin you’re using within your dashboard. You’ll be notified of any pending updates within the plugin screen on the WordPress dashboard. This information is also available within the WordPress dashboard updates section. A plugin like “Easy Updates Manager” can help you to automate this process.
- Change all passwords regularly, especially if you believe your password has been compromised. This will prevent anyone with your login information from causing damage to your site, or accessing your data.
- Always enable two-factor authentication on your accounts (WordPress and otherwise.) This extra layer of protection works by verifying your login through a second device such as your mobile phone or tablet. It’s one of the simplest and most effective ways to keep your data out of hackers’ hands: with two-factor authentication, a stolen password still does not allow an attacker to login to an account. AIOS includes a two-factor authentication module to protect your WordPress sites.
For the full changelog from our most recent update, please see below:
Changelog:
= 5.2.0 – 11/Jul/2023 =
* SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the data), to know what site users’ passwords are. This information has limited value to them (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that “hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog description has been expanded in response to incorrect reports which suggested a much wider problem than exists (for example, they did not mention that the attacker needs to already be logged in as an admin to do access the log, or did not mention that upgrading to 5.2.0 deletes the problematic data from the database).
* SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
* FIX: After editing a file reset permissions back to the original permissions
* FIX: Corrected some broken links in the plugin
* FIX: Fatal error: cannot declare class
* FIX: Normalise all arguments in the stacktrace
* FIX: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
* FIX: Too many redirects error for forced logout users solved
* TWEAK: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
* TWEAK: Reset password page missing translation and generate password button added for renamed login page
* TWEAK: Added ‘aios_audit_log_event_user_ip’ filter to allow filtering of IP addresses in the audit log
* TWEAK: Added action hook “aios_reset_all_settings” for reset all settings.
* TWEAK: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2