Skip to main content

AIOS WordPress Plugin EUVDEUVD-2026-34942

| CVE-2026-8438 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-06 Wordfence GHSA-p64v-fh44-3cqj
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 02:29 vuln.today
CVE Published
Jun 06, 2026 - 01:26 nvd
HIGH 7.2

DescriptionCVE.org

The All-In-One Security (AIOS) - Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.

AnalysisAI

Stored cross-site scripting in the All-In-One Security (AIOS) WordPress plugin through version 5.4.7 allows unauthenticated attackers to inject JavaScript that executes when administrators view the debug logs page. The flaw was reported by Wordfence and requires two specific plugin settings to be enabled simultaneously, and no public exploit identified at time of analysis. Successful exploitation enables nonce theft and privileged actions on behalf of the administrator, potentially leading to full site takeover.

Technical ContextAI

The vulnerability lives in the AIOS plugin's debug logging pipeline. When the 'Disable REST API for non-logged in users' guard (aiowps_disallow_unauthorized_rest_requests) blocks an anonymous REST call, the plugin calls get_rest_route() which invokes urldecode($_SERVER['REQUEST_URI']) - converting URL-encoded payloads into literal HTML characters - and then concatenates that decoded path into a debug log entry stored in the database. Later, when an administrator opens the AIOS Debug Logs page, the column_default() method in wp-security-list-debug.php returns the raw stored value and the WordPress WP_List_Table parent echoes it without escaping. This is a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) chain combining missing input sanitization at the entry point and missing output escaping at the sink, and it affects the davidanderson all-in-one_security_(aios) CPE for all versions up to and including 5.4.7.

RemediationAI

Upstream fix available via WordPress.org plugin changeset 3558989 (https://plugins.trac.wordpress.org/changeset/3558989/); a released patched version is not independently confirmed in the supplied data, so administrators should upgrade to the latest AIOS release published after that changeset and verify via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d2b7ed73-a654-40ef-8d80-6171393da8e7. Until the upgrade is applied, two effective compensating controls are to disable the plugin's debug logging by turning off aiowps_enable_debug - this breaks the storage sink and prevents any payload from being persisted, at the cost of losing AIOS diagnostic logs - or to disable the 'Disable REST API for non-logged in users' option (aiowps_disallow_unauthorized_rest_requests), which removes the code path that captures the unauthenticated REST URI, at the cost of weakening REST hardening for anonymous clients. As an additional layer, restrict access to /wp-admin and the AIOS Debug Logs page to trusted IPs so that administrators are less likely to render stored payloads, and clear any existing debug log entries after patching to remove payloads that may already be persisted in the database.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-34942 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy