The latest version of the WordPress security plugin All In One WP Security & Firewall fixed a minor security vulnerability. While there is an extensive changelog for that version, there doesn’t appear to be any mention of that. Take a look for yourself:

• FEATURE: Reset all settings by clicking on the “Reset Settings” button on the Settings Page.
• FEATURE: Verify the Google reCaptcha Site key before rendering and disable it if the Google reCaptcha site key is invalid.
• FIX: PHP Fatal error: Cannot redeclare wp_install_maybe_enable_pretty_permalinks() in specific server.
• FIX: throwing database error for creating debug log table in specific MySQL server.
• FIX: Compatibility issue with WPML plugin for login and logout functionality.
• FIX: Update email sent in English instead of setting language.
• FIX: The Simple Math Captcha can’t be validated when a third-party plugin clears transients more frequently.
• FIX: The login lockdown unlock request was not working in a few specific server environments.
• FIX: The warning headers already sent was displayed in a few specific server environments.
• FIX: Handle invalid tabs appropriately in setting pages.
• TWEAK: Add review notice.
• TWEAK: Improve functionality of fake google bot prevents to access the site.
• TWEAK: Remove IP address retrieval setting and detect IP address automatically.
• TWEAK: Verify Google reCaptcha site key before rendering the reCaptcha.
• TWEAK: Remove force logout checking from REST API Call.
• TWEAK: Made Admin Dashboard > WP Security > Settings tabs extensible.
• TWEAK: Add G2 review message in the admin footer.
• TWEAK: Format failed login date time according to WordPress general settings.
• TWEAK: Remove unused codes from AIOWPSecurity_Config.
• TWEAK: Add more specific instructions to change the Display name compared to the username in Admin Dashboard > WP Security > User Accounts > “Display Name” tab > “Modify Accounts With Identical Login Name & Display Name” section.
• TWEAK: Remove Admin Dashboard > WP Security > Site Info tab (now redundant because of WP’s “Site Health” tool)
• TWEAK: The “Allow Login Lockout Request” checkbox is ticked by default.
• FIX: Fix login lockout issue with different timezone.

As at least one of the customers of our main service used that plugin, we took a close look at that as the discoverers provided almost no information to confirm there was a vulnerability and that it had been fixed. What we found is that the developer had fixed the vulnerability, but hadn’t properly secured the code, increasing the chances that there could be another instance of this problem in the future. That should have been addressed, particularly considering this is a security plugin. [Read more]