WordPress Plugin Vulnerability Report – All-In-One Security – Protection Bypass of Renamed Login Page via URL Encoding
Plugin Name: All-In-One Security
Key Information:
- Software Type: Plugin
- Software Slug: all-in-one-wp-security-and-firewall
- Software Status: Active
- Software Author: davidanderson
- Software Downloads: 24,151,775
- Active Installs: 1,000,000
- Last Updated: October 25, 2023
- Patched Versions: 5.2.5
- Affected Versions: <5.2.5
Vulnerability Details:
Name: All In One WP Security <= 5.2.4 - Protection Bypass of Renamed Login Page via URL Encoding
Type: Protection Mechanism Failure
CVSS Score: 5.3 (Medium)
Publicly Published: October 25, 2023
Description: The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to protection bypass on the login page in all versions up to and including 5.2.4. This makes it possible for unauthenticated attackers to visit the login page in cases where it has been renamed by using URL Encoding to visit wp-login.php.
Summary:
The All-In-One Security plugin for WordPress has a vulnerability in versions up to and including 5.2.4 that allows attackers to bypass the protection of a renamed login page via URL encoding. This vulnerability has been patched in version 5.2.5.
Detailed Overview:
A vulnerability has been disclosed in the popular All-In-One Security plugin that allows attackers to bypass the protection offered by renaming the wp-login.php page. This protection mechanism failure occurs because the plugin fails to account for URL encoding, which can be used to directly access the renamed login page.
The vulnerability was disclosed by the Wordfence Threat Intelligence team on October 25, 2023. It affects all versions up to and including 5.2.4. The issue lies in the loginURL hook, which does not properly sanitize user input. By using URL encoding, an unauthenticated attacker could bypass the login page protection and access wp-login.php directly.
This issue poses a risk because a common security practice is to obscure the login page location. This vulnerability defeats that protection, allowing brute force and other credential attacks. Site owners are strongly advised to update to version 5.2.5 or higher as soon as possible to mitigate this weakness.
Advice for Users:
- Immediate Action: Update to version 5.2.5 or higher immediately.
- Check for Signs of Vulnerability: Review web server access logs for any attempts to directly access wp-login.php using URL encoding.
- Alternate Plugins: While a patch is available, users might consider plugins like iThemes Security or Wordfence for alternative security functionality.
- Stay Updated: Always keep plugins updated and sign up for security notifications from the developer.
Conclusion:
The rapid response from the All-In-One Security developers to patch this vulnerability shows their commitment to security. Users should install version 5.2.5 or later immediately to close this protection bypass issue. Staying up-to-date is the best way to keep WordPress secure against emerging threats.
References:
Detailed Report:
Staying on top of website security is a never-ending task. New vulnerabilities in common software are disclosed constantly, meaning diligence is required to keep your site locked down tight. Case in point: a protection bypass bug disclosed this week in the popular All In One WP Security plugin used by over 1 million WordPress sites. If you use this plugin, you need to take action now.
The All-In-One WP Security plugin is one of the most widely used security solutions for WordPress. It has over 1 million active installs and over 24 million downloads. The plugin offers various security features like login security, file permission hardening, and more.
Unfortunately, a new vulnerability was recently disclosed that impacts all versions up to and including 5.2.4. Due to a failure to sanitize user input correctly, an attacker could bypass login page rename protections by using URL encoding. This defeats the common technique of obscuring wp-login.php to stop brute force credential attacks.
This vulnerability puts sites at serious risk. If attackers can access your login page directly, that allows endless guessing of usernames and passwords. Even strong passwords could be cracked over time. Once logged in, attackers could leverage admin access to fully compromise your site, steal data, or spread malware.
To protect yourself, you need to update to version 5.2.5 or higher immediately. The developers quickly patched the issue, but you have to implement it. Take a few minutes to upgrade the plugin, clear your caches, and then review your web logs for any evidence of compromise like repeated login attempts. Also consider implementing two-factor authentication as an extra layer of security on your admin account.
This vulnerability is unfortunately not an isolated incident. There have been 23 previous vulnerabilities reported in this plugin since September 2014. The steady stream of bugs reinforces why staying updated is so important. When flaws are found, you need to quickly patch to stay protected.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.