Security vulnerabilities in All In One WP Security (4)
Broken encryption allows 2FA bypass – (All in One WP Security <= 5.0.7)
The plugin employs a broken encryption scheme that allows an attacker to permanently bypass all 2FA checks under the condition that the target website was vulnerable at any point in time to one of the never-ending read-only SQL-Injections in any plugin, theme, or WordPress core.
DOS through IP spoofing – (All in One WP Security <= 5.0.7)
The plugin is wide open to IP spoofing, which an attacker can exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users.
Alternatively, an attacker can bring down the entire MySQL server by flooding the database with the entire IPv4 range.
Trivial comment spam bypass – (All in One WP security <= 5.0.7)
The plugin relies on “.htaccess files” to block comment spam, which will not work on NGINX servers and can be trivially bypassed through header spoofing.
Bypass login page IP allowlist – (All in One WP Security <= 5.0.7)
The plugin’s IP allowlist for the login page does not work on NGINX servers.