|Affected plugin||All In One WP Security & Firewall|
|Active installs||1+ million|
|Vulnerable version||<= 5.0.7|
|Fully patched version||5.0.8|
|Recommended remediation||Update the plugin to version 5.0.8 or higher.|
The plugin’s IP allowlist for the login page does not work on NGINX servers.
Proof of concept
The plugin writes the configured IPs in the allowlist to a “.htaccess” file which NGINX servers will completely ignore. However, this is not mentioned in the plugin’s UI. Consequently, users falsely rely on this feature without it ever working on most WordPress hosts, which nowadays mostly use NGINX + PHP-fpm.
Don’t rely on “.htaccess” files in distributed plugins.
|Vendor contacted||September 10, 2022|
|First Response||September 12, 2022|
|Fully patched at||September 29, 2022|
|Publicly disclosed||April 24, 2023|
Leave a Reply