Description
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.
Published: 2026-06-06
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The All‑In‑One Security (AIOS) plugin for WordPress contains a stored Cross‑Site Scripting flaw in its REST API request handling. When debug logging is enabled and the REST API is blocked for unauthenticated users, an attacker can transmit malicious HTML or JavaScript encoded in the request path. The path is decoded and inserted without sanitization into a debug log entry, which is then displayed in the Dashboard Debug Logs page without escaping. This permits arbitrary script execution in the administrator’s browser, enabling nonce theft, privileged AJAX or REST actions and potentially full site compromise. The weakness is a classic input validation and output escaping failure, corresponding to CWE‑79.

Affected Systems

All‑In‑One Security (AIOS) – Security and Firewall plugin version 5.4.7 and earlier is affected. Users running this plugin on any WordPress installation should verify the plugin version and update if necessary.

Risk and Exploitability

The impact score is 7.2 on the CVSS scale, indicating a high‑severity vulnerability. EPSS data is not available, so the likely exploitation probability cannot be quantified, but the vulnerability demands attention. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack path requires an attacker to craft a specially encoded REST request that bypasses the REST API restriction and embeds malicious content into a debug log. An unauthenticated attacker can then lure an administrator to the debug log page to trigger the XSS payload.

Generated by OpenCVE AI on June 6, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the All‑In‑One Security plugin to the latest released version that includes the XSS fix.
  • Disable the “Enable Debug Logging” feature (aiowps_enable_debug) and the “Disable REST API for non‑logged in users” setting (aiowps_disallow_unauthorized_rest_requests) to stop the data path that stores the malicious payload.
  • Apply proper input sanitization for REST API routes and ensure all output rendered in admin pages escapes HTML characters to mitigate future CWE‑79 vulnerabilities.

Generated by OpenCVE AI on June 6, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.
Title All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T01:26:10.529Z

Reserved: 2026-05-12T18:50:59.037Z

Link: CVE-2026-8438

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T02:16:21.453

Modified: 2026-06-06T02:16:21.453

Link: CVE-2026-8438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T03:30:11Z

Weaknesses