The changelog for the latest version of the WordPress plugin All In One WP Security doesn’t appear to make any mention of a security vulnerability being fixed, but there was at least one fixed.
…
The changelog for the latest version of the plugin All In One WP Security (All In One WP Security & Firewall) is “Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)”. The entry on the WPScan Vulnerability Database for that contains almost no information and has this for the proof of concept “The PoC will be displayed on October 22, 2019, to give users the time to update.” It is unclear what the point of that would be since, that would be too late for that to be to all that useful, say if the vulnerability hasn’t been properly fixed, since hackers would already be taking advantage of the vulnerability. At the same time we have a hard time believing anybody looking to exploit this would have any trouble figuring out how you could exploit it just by looking at the relevant changes made to the plugin, considering it took us around a minute.
…
To make sure we are providing customers of our service with the best data on vulnerabilities in WordPress plugins they may be using we do various monitoring. One of the things we do is monitor our websites and third-party data for indications that plugins are being targeted by hackers. That leads to us noticing plenty of up to that point publicly undisclosed vulnerabilities in plugins that hackers probably are already aware of and are likely already targeting. But what also gets pulled in with that frequently are what look to be hackers trying to access malicious files that hackers have placed on other websites that happened to be in the directories of WordPress plugins. What looks to be a recent example of that involved sending a request to:
/wp-content/plugins/all-in-one-wp-security-and-firewall/other-includes/bkrijilt.php [Read more]