CVE-2023-0157

The CVE-2023-0157 entry concerns All-In-One Security (AIOS) for WordPress, where versions prior to 5.1.5 fail to escape log file content before rendering on the plugin’s admin page. This enables an authorized admin+ user to plant log files containing malicious JavaScript that executes in the cont...

CVE-2023-0156

The CVE concerns All-In-One Security (AIOS) WordPress plugin before v5.1.5. The issue permits an authorized admin+ user to view arbitrary server files and list directories via the plugin’s settings page, by bypassing limits on which log files are displayed. The impact is disclosure of file conten...

All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS

The plugin does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user admin+ to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. Just create a test.pdf...

All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal

The plugin does not limit what log files to display in it's settings pages, allowing an authorized user admin+ to view the contents of arbitrary files and list directories anywhere on the server to which the web server has access. The plugin only displays the last 50 lines of the file. PoC POST...

All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal

The plugin does not limit what log files to display in it's settings pages, allowing an authorized user admin+ to view the contents of arbitrary files and list directories anywhere on the server to which the web server has access. The plugin only displays the last 50 lines of the file. POST...

CVE-2022-4346

The All-In-One Security AIOS WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address...

Security feature bypass

The All-In-One Security AIOS WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address...

CVE-2022-4346

The CVE-2022-4346 issue affects the All-In-One Security (AIOS) WordPress plugin (versions prior to 5.1.3). The underlying problem is an information disclosure: plugin settings, including the email address, were leaked publicly. Public references and security feeds document an exposure vector tied...

Design/Logic Flaw

The All-In-One Security AIOS WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features like IP blocks, rate limiting, brute force protection, and more...

CVE-2022-4097

The CVE-2022-4097 entry concerns the All-In-One Security (AIOS) WordPress plugin prior to 5.0.8. The root cause is IP spoofing via headers (e.g., HTTP_X_REAL_IP/HTTP_X_FORWARDED_FOR) in get_user_ip_address(), allowing attackers to bypass security controls such as IP blocks, rate limiting, and bru...

WordPress All-In-One Security (AIOS) - Security and Firewall plugin cross-site request forgery vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress All-In-One Security AIOS - Security and Firewall plugin version 5.1.0 and earlier is vulnerable to...

Cross site request forgery (csrf)

Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security AIOS – Security and Firewall WordPress plugin = 5.1.0 on WordPress...

CVE-2022-44737

CVE-2022-44737 affects the WordPress All-In-One Security (AIOS) – Security and Firewall plugin, = 5.1.1) or apply vendor-provided fixes. Other references corroborate CSRF risk in AIOS ≤ 5.1.0 and advise updating.