c0ntr07

Was the plug-in not tested? I am very hesitant to install this fix. AIOS has taken down my website three times now and we still have clear text passwords in logs and backups. I have very little confidence in AIOS’s development skills and security awareness.

The update just took down my site.

Fatal error: Uncaught Error: Call to a member function log_debug() on null in /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-premium-base-tasks.php:337 Stack trace: #0 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-cb-country-tasks.php(106): AIOWPS_Premium_Base_Tasks->get_country_code_from_ip(‘107.77.223.161’) #1 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-cb-country-tasks.php(31): AIOWPS_Country_Tasks->is_blocked() #2 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowp-cb-general-init-tasks.php(27): AIOWPS_Country_Tasks->perform_country_check() #3 /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowp-cb-general-init-tasks.php(13): AIOWPS_CB_General_Init_Tasks->do_country_blocking_general_tasks() #4 /home/xwjqg932/public_html/wp-content/plugins/all in /home/xwjqg932/public_html/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/classes/aiowps-premium-base-tasks.php on line 337

There has been a critical error on this website.

Any update on when the fix will be officially published? We really need this critical vulnerability fixed and the logs purged.

• Version: 5.1.9
• Last Updated:?1 month ago

https://www.dropbox.com/scl/fi/pjg0rlfoiu4v7h25t1qd2/Screen-Shot-2023-06-24-at-2.34.34-PM-clean.png?dl=0&rlkey=ch0lfgkbw8h2prb2ypf9xlbpb

I have a screenshot of the error message. How can I post it here?

Thank you so much for the development copy. Unfortunately it didn’t work and threw an UNCAUGHT ERROR error where AIOS_HELPER couldn’t be found requiring a site restoration from back up.

Why isn’t this being a critical vulnerability and immediately being pushed?

This is a HUGE issue. Anyone, like a contractor, has access to the username and passwords of all other site admins.

Furthermore, as our pentesting has documented, contractor and site designers have very poor password practices. Our contract’s credentials are the same one’s they use on ALL OF THEIR OTHER CLIENT SITES (and their Gmail and Facebook).