WordPress security plugin discovered to have two vulnerabilities that could allow a malicious upload, cross-site scripting and allow viewing of contents of arbitrary files.
All-In-One Security (AIOS) WordPress Plugin
The All-In-One Security (AIOS) WordPress plugin, provided by the publishers of UpdraftPlus, offers security and firewall functionality designed to lock out hackers.
It offers log-in security protection that locks out attackers, plagiarism protection, blocks hotlinking, comment spam blocking and a firewall that serves as a defense against hacking threats.
The plugin also enforces proactive security by alerting users to common mistakes like using the “admin” user name.
It’s a comprehensive security suite that’s backed by the makers of Updraft Plus, one of the most trusted WordPress plugin publishers.
These qualities make AIOS highly popular, with over one million WordPress installations.
Two Vulnerabilities
The United States government National Vulnerability Database (NVD) published a pair of warnings about two vulnerabilities.
1. Data Sanitization Failure
The first vulnerability is due to a data sanitization failure, specifically a failure to escape log files.
Escaping data is a basic security process that strips any sensitive data from outputs generated by a plugin.