Description

WordPress Plugin All-In-One Security (AIOS)-Security and Firewall is prone to multiple vulnerabilities, including security bypass and information disclosure vulnerabilities. An attacker may leverage these issues to perform otherwise restricted actions and subsequently bypass CAPTCHA answer validation or to obtain sensitive information that may help in launching further attacks. WordPress Plugin All-In-One Security (AIOS)-Security and Firewall version 4.1.2 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.1.3 or latest

References

https://sumofpwn.nl/advisory/2016/multiple_vulnerabilities_in_all_in_one_wp_security___firewall_plugin_login_captcha.html

https://packetstormsecurity.com/files/138120/WordPress-All-In-One-Security-Firewall-4.1.2-CAPTCHA-Bypass.html

https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/

Related Vulnerabilities

Magento XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2021-21019)

PHP upload arbitrary file disclosure vulnerability

WordPress Plugin Simple URLs-Link Cloaking, Product Displays, and Affiliate Link Management Multiple Vulnerabilities (114)

PostgreSQL Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-1899)

WordPress Plugin Metform Elementor Contact Form Builder-Flexible and Design-Friendly Contact Form builder for WordPress Security Bypass (3.3.0)

Severity

High

Classification

CWE-200 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update