First published: Mon Apr 10 2023(Updated: )
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page.
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Updraftplus All-in-one Security | <5.1.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for The All-In-One Security plugin on WordPress is CVE-2023-0157.
The severity level of CVE-2023-0157 is medium with a score of 4.8.
The vulnerability in the All-In-One Security (AIOS) WordPress plugin allows an authorized user to plant malicious JavaScript code in log files, which can be executed in the context of any administrator.
The All-In-One Security plugin version up to but not including 5.1.5 is affected by CVE-2023-0157.
To fix the All-In-One Security plugin vulnerability, users should update to version 5.1.5 or later.