Description

WordPress Plugin All-In-One Security (AIOS)-Security and Firewall is prone to multiple vulnerabilities, including security bypass and information disclosure vulnerabilities. An attacker may leverage these issues to perform otherwise restricted actions and subsequently bypass CAPTCHA answer validation or to obtain sensitive information that may help in launching further attacks. WordPress Plugin All-In-One Security (AIOS)-Security and Firewall version 4.1.2 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.1.3 or latest

References

https://sumofpwn.nl/advisory/2016/multiple_vulnerabilities_in_all_in_one_wp_security___firewall_plugin_login_captcha.html

https://packetstormsecurity.com/files/138120/WordPress-All-In-One-Security-Firewall-4.1.2-CAPTCHA-Bypass.html

https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/

Related Vulnerabilities

MySQL CVE-2012-1697 Vulnerability (CVE-2012-1697)

WordPress Plugin Schema App Structured Data Unspecified Vulnerability (0.5.4)

Apache read beyond bounds via ap_rwrite() Vulnerability (CVE-2022-28614)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-3997)

WordPress Plugin LB Tube Video for WordPress Cross-Site Scripting (1.0)

Severity

High

Classification

CWE-200 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update