July 14, 2023

All-In-One Security Vulnerability Discovered – Logging Plaintext Passwords

All-In-One Security (AIOS) WordPress Logs Plaintext Passwords

Security is paramount. This is especially true for WordPress plugins, which are often targeted by cybercriminals. Today, we report about a recent security flaw found in a popular WordPress plugin, All-In-One Security (AIOS), and its implications for over a million users.

The All-In-One Security (AIOS) Plugin

The AIOS plugin is a security solution for WordPress sites. Installed on more than a million sites, it is designed to prevent cyberattacks, warn against the use of default admin usernames, prevent bot attacks, log user activity, and eliminate comment spam. Its popularity underscores its importance in the WordPress ecosystem.

The Security Flaw

Recently, a significant security flaw was discovered in AIOS version 5.1.9. The plugin was found to be logging plaintext passwords from login attempts to the database. This flaw essentially provides any privileged user with access to the login credentials of all other administrator users, posing a serious security risk. This revelation has sent shockwaves through the WordPress community.

User Discovery and Reaction

The flaw was identified roughly two weeks ago when users began voicing their concerns about this insecure design on the plugin’s support forums. The discovery led to a wave of complaints and concerns, highlighting the potential risk to user data and site security. The community’s response has been a mixture of surprise, concern, and frustration.

Developer Response

In response to the user complaints, the Updraft team, which maintains the AIOS plugin, released version 5.2.0 to address the issue and remove the logged passwords from the database. However, this update was met with further complaints, as users reported that the update was breaking sites and not effectively removing the password logs. In an attempt to rectify these issues, AIOS version 5.2.1 was released. Despite this, some users claim their sites are still experiencing problems.

Expert Opinion

Patchstack CEO Oliver Sild weighed in on the situation, stating that the AIOS maintainers should have warned users about the password logging. He emphasized the need for users to reset their credentials if the same combinations were used on multiple sites, as this creates an attack surface for threat actors. His comments serve as a stark reminder of the potential consequences of this security flaw.

Current Situation

Despite the updates and ongoing discussions, hundreds of thousands of websites are still running a vulnerable version of the plugin, according to WordPress statistics. This leaves a significant number of users potentially exposed to cyber threats. The situation is a ticking time bomb that needs immediate attention.


This situation underscores the importance of proactive security measures and user awareness. Users of the AIOS plugin are advised to update their installations as soon as possible and change their passwords to ensure their data remains secure. It’s a stark reminder that in the realm of cybersecurity, vigilance is key. Let’s turn this incident into a learning opportunity and strengthen our defenses.

Welcome back!
Enter your Helwp credentials to sign in.

No Account yet? Sign Up

My Account
Give Feedback
Describe your feedback *
Rate Helwp
Problem *
Describe the problem
Want us to reply?
Your E-Mail
Affiliate Disclosure

At Helwp, we’re committed to transparency and honesty. Therefore, we want to inform you that some of the links on our website are affiliate links. This means that, at no additional cost to you, we may earn a small commission if you click through and make a purchase.

We only promote products or services that we genuinely believe in. These affiliate commissions help us to maintain the website and continue to provide you with free, high-quality WordPress content.

If you are interested in how you can support us even further, check out our support page.