Taking the pain out of enterprise WordPress development
| Affected plugin | All In One WP Security & Firewall |
| Active installs | 1+ million |
| Vulnerable version | <= 5.0.7 |
| Audited version | 5.0.7 |
| Fully patched version | 5.1.9 |
| Recommended remediation | Upgrade to version 5.1.9 or higher and explicitly enable 2FA secret encryption in the plugin settings. |
This vulnerability is the exact same one as in the Two-Factor-Authentication plugin by Updraft. All in One WP Security & Firewall contains a copy of the plugin.
I have discussed this issue with David Andersen at length in the All-In-One Security plugin support page at https://wordpress.org/support/topic/4-unpatched-security-vulnerabiities-as-of-5-0-7-fixed-yet/. He very much disputes the framing of the issue as it is presented here but nevertheless agrees that two-layers of protection are better than one. The feature, “Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)” was added in AIOS 5.1.9.
Thanks for the update, we have updated the information as 2FA secrets are now encrypted with the key stored in the filesystem (albeit opt-in, rather than opt-out, but this will probably change in the future).
Leave a Reply to indigetal Cancel reply