CVE-2015-9293

Vulnerability

The All-In-One Security (AIOS) plugin for WordPress, version 3.9.7 and earlier, contains a cross-site scripting (XSS) vulnerability in the unlock request feature. This allows unauthenticated attackers to inject arbitrary JavaScript into the unlock request functionality. The affected versions are prior to 3.9.8 [1].

Exploitation

An attacker can craft a malicious unlock request that includes JavaScript payloads. When the request is processed by the plugin, the payload is executed in the browser of an administrator or user who views the unlock request page. No authentication or special privileges are required to submit the request, but user interaction (e.g., an admin reviewing the request) is necessary for execution.

Impact

Successful exploitation leads to cross-site scripting, which can result in session hijacking, defacement, or theft of sensitive information. The attacker may perform actions on behalf of the victim, such as modifying plugin settings or creating new administrator accounts.

Mitigation

Users should update the All-In-One Security plugin to version 3.9.8 or later, which fixes this vulnerability. The current version (5.4.7) includes the patch [1]. No known workarounds exist; updating is the recommended action.