5 matches found
CVE-2022-4346
The CVE-2022-4346 issue affects the All-In-One Security (AIOS) WordPress plugin (versions prior to 5.1.3). The underlying problem is an information disclosure: plugin settings, including the email address, were leaked publicly. Public references and security feeds document an exposure vector tied...
CVE-2023-0157
The CVE-2023-0157 entry concerns All-In-One Security (AIOS) for WordPress, where versions prior to 5.1.5 fail to escape log file content before rendering on the plugin’s admin page. This enables an authorized admin+ user to plant log files containing malicious JavaScript that executes in the cont...
CVE-2023-0156
The CVE concerns All-In-One Security (AIOS) WordPress plugin before v5.1.5. The issue permits an authorized admin+ user to view arbitrary server files and list directories via the plugin’s settings page, by bypassing limits on which log files are displayed. The impact is disclosure of file conten...
CVE-2022-4097
The CVE-2022-4097 entry concerns the All-In-One Security (AIOS) WordPress plugin prior to 5.0.8. The root cause is IP spoofing via headers (e.g., HTTP_X_REAL_IP/HTTP_X_FORWARDED_FOR) in get_user_ip_address(), allowing attackers to bypass security controls such as IP blocks, rate limiting, and bru...
CVE-2024-1037
The CVE-2024-1037 entry concerns All-In-One Security (AIOS) for WordPress, affecting versions up to 5.2.5. The vulnerability is a Reflected Cross-Site Scripting via the tab parameter caused by insufficient input sanitization and output escaping, enabling unauthenticated attackers to inject web sc...