Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The All-In-One Security (AIOS) - Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.
AnalysisAI
Stored cross-site scripting in the All-In-One Security (AIOS) WordPress plugin through version 5.4.7 allows unauthenticated attackers to inject JavaScript that executes when administrators view the debug logs page. The flaw was reported by Wordfence and requires two specific plugin settings to be enabled simultaneously, and no public exploit identified at time of analysis. Successful exploitation enables nonce theft and privileged actions on behalf of the administrator, potentially leading to full site takeover.
Technical ContextAI
The vulnerability lives in the AIOS plugin's debug logging pipeline. When the 'Disable REST API for non-logged in users' guard (aiowps_disallow_unauthorized_rest_requests) blocks an anonymous REST call, the plugin calls get_rest_route() which invokes urldecode($_SERVER['REQUEST_URI']) - converting URL-encoded payloads into literal HTML characters - and then concatenates that decoded path into a debug log entry stored in the database. Later, when an administrator opens the AIOS Debug Logs page, the column_default() method in wp-security-list-debug.php returns the raw stored value and the WordPress WP_List_Table parent echoes it without escaping. This is a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) chain combining missing input sanitization at the entry point and missing output escaping at the sink, and it affects the davidanderson all-in-one_security_(aios) CPE for all versions up to and including 5.4.7.
RemediationAI
Upstream fix available via WordPress.org plugin changeset 3558989 (https://plugins.trac.wordpress.org/changeset/3558989/); a released patched version is not independently confirmed in the supplied data, so administrators should upgrade to the latest AIOS release published after that changeset and verify via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d2b7ed73-a654-40ef-8d80-6171393da8e7. Until the upgrade is applied, two effective compensating controls are to disable the plugin's debug logging by turning off aiowps_enable_debug - this breaks the storage sink and prevents any payload from being persisted, at the cost of losing AIOS diagnostic logs - or to disable the 'Disable REST API for non-logged in users' option (aiowps_disallow_unauthorized_rest_requests), which removes the code path that captures the unauthenticated REST URI, at the cost of weakening REST hardening for anonymous clients. As an additional layer, restrict access to /wp-admin and the AIOS Debug Logs page to trusted IPs so that administrators are less likely to render stored payloads, and clear any existing debug log entries after patching to remove payloads that may already be persisted in the database.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34942
GHSA-p64v-fh44-3cqj