CVE-2023-0157: All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS
First published: Mon Apr 10 2023(Updated: )
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Updraftplus All-in-one Security | <5.1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for The All-In-One Security plugin on WordPress?
The vulnerability ID for The All-In-One Security plugin on WordPress is CVE-2023-0157.
What is the severity level of CVE-2023-0157?
The severity level of CVE-2023-0157 is medium with a score of 4.8.
What does the All-In-One Security (AIOS) WordPress plugin vulnerability allow?
The vulnerability in the All-In-One Security (AIOS) WordPress plugin allows an authorized user to plant malicious JavaScript code in log files, which can be executed in the context of any administrator.
What version of the All-In-One Security plugin is affected by CVE-2023-0157?
The All-In-One Security plugin version up to but not including 5.1.5 is affected by CVE-2023-0157.
How can the All-In-One Security plugin vulnerability be fixed?
To fix the All-In-One Security plugin vulnerability, users should update to version 5.1.5 or later.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/title
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/updraftplus
- canonical/updraftplus all-in-one security