WordPress is a popular platform for building websites, but it is not immune to security vulnerabilities. Recently, two vulnerabilities were discovered in the All-In-One Safety (AIOS) WordPress plugin, offered by the publishers of Up draft Plus and used by over a million WordPress installations. These vulnerabilities could enable a malicious attacker to execute cross-site scripting and access arbitrary information.

The first vulnerability is due to a failure to sanitize data, a fundamental security process that removes sensitive information from outputs generated by a plugin. Before version 5.1.5, the AIOS plugin did not encrypt log file content before sending it to the plugin admin page, making it possible for an admin+ user to install false log files that included malicious JavaScript code that could be run in the context of any administrator accessing this page.

The second vulnerability is a path traversal vulnerability, allowing an attacker to access data and directories stored outside the web root folder. The AIOS plugin before version 5.1.5 did not limit what log files to display in its settings pages, allowing an admin+ user to view the contents of arbitrary files and directories anywhere on the server to which the web server has access. Only the latest 50 lines of the file are shown by the plugin.

Both vulnerabilities require an attacker to acquire admin-level credentials to exploit the attack, which may make it harder for the attack to happen. However, a security plugin must have robust security measures to prevent such vulnerabilities.

The AIOS plugin has released a patch in version 5.1.6 to address these vulnerabilities. Users are advised to update to at least version 5.1.6, preferably to the latest version, 5.1.7, which also fixes a crash when the firewall is not set up. It is crucial to keep WordPress plugins up to date to ensure the security of your website.