Warning: AIOS on WordPress stores user's plaintext passwords
10:53:00 | 03-08-2023

AIOS, a WordPress plugin with millions of installs, was found to save plaintext passwords from login attempts to the database, threatening the security of users' accounts. To protect the account, users are advised to change their password as soon as possible



AIOS is a firewall and security plugin specifically for WordPress that helps prevent software applications from running automated tasks (bots) and brute-force attacks.

About 3 weeks ago, AIOS v5.1.9 was discovered to not only log login attempts to the aiowps_audit_log database table, but also record the user's entered password in plaintext, leading to the risk of human accounts stolen use. In addition, websites using AIOS will face a high risk of being compromised by hackers.

According to WordPress.org statistics, to-date, only about a quarter of AIOS users have applied the latest update and there are still more than 750,000 websites at risk.

Because of the severity and scope of impact, admins of WordPress websites using the AIOS plugin are advised to update to the latest version 5.2.0 as soon as possible. Users need to reset their password immediately to protect their account.