AIOS WordPress Security Plugin Collects Passwords and Stores Them as Plain Text

WordPress security plugin All-In-One Security (AIOS) has been found to do the exact opposite of what it was designed to do. A bug in the version 5.1.9 update caused users’ passwords to be stored as plain text in a database, leaving them vulnerable to misuse by website administrators.
AIOS is installed on over 1 million websites and provides security for WordPress websites. After the update in May this year, it was discovered that the tool was collecting passwords and storing them as plain text in a database. This means that website administrators with the highest privilege and management rights can easily misuse these passwords for other (malicious) purposes.
The bug in the 5.1.9 release of AIOS came to light three weeks ago when a user reported it on a WordPress forum, fearing it would be detrimental to them in a security review by compliance auditors. AIOS responded by providing a script to delete the logged data, but unfortunately the script didn’t work.

AIOS Fixes the Bug and Releases a New Version

AIOS has now fixed the bug and presented a new version 5.2.0. The developer is urging users to install this latest version and regularly change their passwords. They are also recommending that users apply two-factor authentication (2FA) to their accounts and WordPress websites.
In conclusion, the AIOS WordPress security plugin has been found to do the exact opposite of what it was designed to do. The bug in the 5.1.9 update caused users’ passwords to be stored as plain text in a database, leaving them vulnerable to misuse by website administrators. AIOS has now fixed the bug and released a new version 5.2.0, and is urging users to install this latest version and regularly change their passwords. They are also recommending that users apply two-factor authentication (2FA) to their accounts and WordPress websites.