Which All-In-One Security (AIOS) – Security and Firewall CVEs are tracked?

All-In-One Security (AIOS) – Security and Firewall tracked CVEs include CVE-2016-10887, CVE-2016-10888, CVE-2015-9310, CVE-2015-0894, and CVE-2022-44737.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 26 known issues Latest disclosed Feb 08, 2024

All-In-One Security (AIOS) – Security and Firewall Vulnerabilities

Q: How many All-In-One Security (AIOS) – Security and Firewall vulnerabilities have patch guidance?

26 of 26 tracked All-In-One Security (AIOS) – Security and Firewall records include a published patch path.

Review known vulnerability records for the WordPress plugin All-In-One Security (AIOS) – Security and Firewall (`all-in-one-wp-security-and-firewall`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-30468, CVE-2024-1037 and CVE-2023-52147, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 03, 2024

Priority CVE Quick Links

Fast paths into All-In-One Security (AIOS) – Security and Firewall CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2016-10887 Critical 4.0.9

CVE-2016-10887 All-In-One Security (AIOS) – Security and Firewall SQL Injection

All In One WP Security & Firewall <= 4.0.8 - SQL Injection

CVE-2016-10888 Critical 4.0.7

CVE-2016-10888 All-In-One Security (AIOS) – Security and Firewall SQL Injection

All In One WP Security & Firewall <= 4.0.6 - SQL Injection

CVE-2015-9310 Critical 3.9.1

CVE-2015-9310 All-In-One Security (AIOS) – Security and Firewall SQL Injection

All In One WP Security & Firewall <= 3.9.0 - SQL Injection

CVE-2015-0894 Critical 3.8.8

CVE-2015-0894 All-In-One Security (AIOS) – Security and Firewall SQL Injection

All In One WP Security & Firewall <= 3.8.7 - SQL Injection

CVE-2022-44737 High 5.1.1

CVE-2022-44737 All-In-One Security (AIOS) – Security and Firewall Cross-Site Request Forgery

All In One WP Security & Firewall <= 5.1.0 - Cross-Site Request Forgery

CVE-2014-6242 High 3.8.3

CVE-2014-6242 All-In-One Security (AIOS) – Security and Firewall SQL Injection

All In One WP Security & Firewall <= 3.8.2 - Authenticated Access or Cross-Site Request Forgery leading to SQL Injection via orderby, order Parameters

CVE-2022-4097 Medium 5.0.8

CVE-2022-4097 All-In-One Security (AIOS) – Security and Firewall Vulnerability

All-In-One Security (AIOS) – Security and Firewall <= 5.0.8 - IP Spoofing to Protection Mechanism Bypass

CVE-2024-1037 Medium 5.2.6

CVE-2024-1037 All-In-One Security (AIOS) – Security and Firewall Cross-Site Scripting

All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for All-In-One Security (AIOS) – Security and Firewall so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

26 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

4 critical and 3 high severity findings.

Recent CVEs

CVE-2024-30468, CVE-2024-1037 and CVE-2023-52147

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2024-30468 Medium Patch path listed

CVE-2024-30468: All In One WP Security <= 5.2.6 - Cross-Site Request Forgery to IP Blocking

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.6. This is due to missing or...

Published

Feb 08, 2024

Patch Status

5.2.7

Open CVE-2024-30468 Report

CVE-2024-1037 Medium Patch path listed

CVE-2024-1037: All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 - Reflected Cross-Site Scripting

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2....

Published

Feb 06, 2024

Patch Status

5.2.6

Open CVE-2024-1037 Report

CVE-2023-52147 Medium Patch path listed

CVE-2023-52147: All In One WP Security <= 5.2.4 - Protection Bypass of Renamed Login Page via URL Encoding

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to protection bypass on the login page in all versions up to and including 5.2.4. This makes it poss...

Published

Oct 25, 2023

Patch Status

5.2.5

Open CVE-2023-52147 Report

Known Vulnerabilities

Reports for All-In-One Security (AIOS) – Security and Firewall

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-30468

CVE-2024-30468: All In One WP Security <= 5.2.6 - Cross-Site Request Forgery to IP Blocking

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.6. This is due to missing or incorrect nonce validation on the render_404_detection() function. This makes it possible...

Published

Feb 08, 2024

Patched Release

5.2.7

Affected Versions

Versions up to 5.2.6

Next Step

Update to 5.2.7 or newer if supported.

Open CVE-2024-30468 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-1037

CVE-2024-1037: All-In-One Security (AIOS) – Security and Firewall <= 5.2.5 - Reflected Cross-Site Scripting

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for u...

Published

Feb 06, 2024

Patched Release

5.2.6

Affected Versions

Versions up to 5.2.5

Next Step

Update to 5.2.6 or newer if supported.

Open CVE-2024-1037 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-52147

CVE-2023-52147: All In One WP Security <= 5.2.4 - Protection Bypass of Renamed Login Page via URL Encoding

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to protection bypass on the login page in all versions up to and including 5.2.4. This makes it possible for unauthenticated attackers to visit the login page in cases where it has been rena...

Published

Oct 25, 2023

Patched Release

5.2.5

Affected Versions

Versions before 5.2.5

Next Step

Update to 5.2.5 or newer if supported.

Open CVE-2023-52147 Report Open CVE Reference

Plugin Medium Patched: Yes

All In One WP Security 5.1.9 - Plaintext Storage of Credentials

The All In One WP Security plugin for WordPress is vulnerable to sensitive information disclosure in version 5.1.9. This is due to insufficient encryption on credentials stored in database logs. This makes it possible for attackers to retrieve the username and password of users t...

Published

Jul 11, 2023

Patched Release

5.2.0

Affected Versions

5.1.9 through 5.1.9

Next Step

Update to 5.2.0 or newer if supported.

Open Full Report

Plugin Medium Patched: Yes CVE-2023-0157

CVE-2023-0157: All-In-One Security (AIOS) <= 5.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting

The All-In-One Security (AIOS) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via log files in versions up to, and including, 5.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrato...

Published

Mar 20, 2023

Patched Release

5.1.5

Affected Versions

Versions up to 5.1.4

Next Step

Update to 5.1.5 or newer if supported.

Open CVE-2023-0157 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-0156

CVE-2023-0156: All-In-One Security (AIOS) <= 5.1.4 - Authenticated(Admin+) Directory Traversal

The All-In-One Security (AIOS) plugin for WordPress is vulnerable to directory traversal in versions up to, and including, 5.1.4. This allows authenticated attackers with administrator-level permissions to read the contents of arbitrary files on the server.

Published

Feb 14, 2023

Patched Release

5.1.5

Affected Versions

Versions up to 5.1.4

Next Step

Update to 5.1.5 or newer if supported.

Open CVE-2023-0156 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-4346

CVE-2022-4346: All-In-One Security <= 5.1.2 - Information Disclosure

The All-In-One Security plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 5.1.2. This is due to the plugin allowing administrators to upload backups to publicly accessible folders for restoring purposes. While under normal use these f...

Published

Dec 09, 2022

Patched Release

5.1.3

Affected Versions

Versions up to 5.1.2

Next Step

Update to 5.1.3 or newer if supported.

Open CVE-2022-4346 Report Open CVE Reference

Plugin High Patched: Yes CVE-2022-44737

CVE-2022-44737: All In One WP Security & Firewall <= 5.1.0 - Cross-Site Request Forgery

The All In One WP Security & Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to incorrect nonce validation on the functions 'render_login_whitelist', 'render_rename_login', 'render_honeypot' functions...

Published

Nov 22, 2022

Patched Release

5.1.1

Affected Versions

Versions up to 5.1.0

Next Step

Update to 5.1.1 or newer if supported.

Open CVE-2022-44737 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-4097

CVE-2022-4097: All-In-One Security (AIOS) – Security and Firewall <= 5.0.8 - IP Spoofing to Protection Mechanism Bypass

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.8. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login...

Published

Nov 21, 2022

Patched Release

5.0.8

Affected Versions

Versions up to 5.0.7

Next Step

Update to 5.0.8 or newer if supported.

Open CVE-2022-4097 Report Open CVE Reference

Plugin High Patched: Yes

All In One WP Security & Firewall <= 5.1.0 - Cross-Site Request Forgery

The All In One WP Security & Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the process_bulk_action function. This makes it possible for unauthenticated att...

Published

Nov 17, 2022

Patched Release

5.1.1

Affected Versions

Versions up to 5.1.0

Next Step

Update to 5.1.1 or newer if supported.

Open Full Report

Plugin Medium Patched: Yes

All In One WP Security & Firewall 5.0.0 - 5.0.7 - Protection Bypass via IP Spoofing

The All In One WP Security & Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions 5.0.0 - 5.0.7 (both included) due to insufficient IP address validation. This makes it possible for attackers to bypass IP blocks and access services even if their IP addre...

Published

Sep 30, 2022

Patched Release

5.0.8

Affected Versions

5.0.0 through 5.0.7

Next Step

Update to 5.0.8 or newer if supported.

Open Full Report

Plugin Medium Patched: Yes CVE-2021-25102

CVE-2021-25102: All In One WP Security & Firewall <= 4.4.10 - Open Redirect and Reflected Cross-Site Scripting

The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to a...

Published

Apr 11, 2022

Patched Release

4.4.11

Affected Versions

Versions before 4.4.11

Next Step

Update to 4.4.11 or newer if supported.

Open CVE-2021-25102 Report Open CVE Reference