All In One Wp Security And Firewall
by WordPress
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10888 | Cri | 0.64 | 9.8 | 0.02 | Aug 14, 2019 | The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues. | ||
| CVE-2016-10887 | Cri | 0.64 | 9.8 | 0.02 | Aug 14, 2019 | The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. | ||
| CVE-2015-9310 | Cri | 0.64 | 9.8 | 0.02 | Aug 14, 2019 | The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues. | ||
| CVE-2026-8438 | Hig | 0.40 | 7.2 | 0.00 | Jun 6, 2026 | The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the… | ||
| CVE-2016-10867 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages. | ||
| CVE-2016-10866 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues. | ||
| CVE-2016-10868 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages. | ||
| CVE-2015-9294 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances. | ||
| CVE-2015-9293 | Med | 0.40 | 6.1 | 0.01 | Aug 13, 2019 | The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature. | ||
| CVE-2022-4097 | Med | 0.34 | 5.3 | 0.01 | Dec 12, 2022 | The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more). | ||
| CVE-2021-25102 | Med | 0.31 | 4.7 | 0.01 | May 2, 2022 | The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to… | ||
| CVE-2024-30468 | Med | 0.28 | 4.3 | 0.00 | Mar 29, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall.This issue affects All In One WP Security & Firewall: from n/a through 5.2.6. | ||
| CVE-2023-52147 | Low | 0.24 | 3.7 | 0.00 | Jun 4, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects All In One WP Security & Firewall: from n/a… | ||
| CVE-2014-6242 | 0.03 | — | 0.04 | Oct 2, 2014 | Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this… | |||
| CVE-2020-29171 | Med | 0.00 | 6.1 | 0.01 | Feb 10, 2021 | Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) plugin before 4.4.6 for WordPress. | ||
| CVE-2015-0895 | 0.00 | — | 0.01 | Mar 7, 2015 | Cross-site request forgery (CSRF) vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete logs of 404 (aka Not Found) HTTP status codes. | |||
| CVE-2015-0894 | 0.00 | — | 0.02 | Mar 7, 2015 | SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
- risk 0.64cvss 9.8epss 0.02
The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues.
- risk 0.64cvss 9.8epss 0.02
The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues.
- risk 0.64cvss 9.8epss 0.02
The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues.
- risk 0.40cvss 7.2epss 0.00
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the…
- risk 0.40cvss 6.1epss 0.01
The all-in-one-wp-security-and-firewall plugin before 4.0.6 for WordPress has XSS in settings pages.
- risk 0.40cvss 6.1epss 0.01
The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues.
- risk 0.40cvss 6.1epss 0.01
The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages.
- risk 0.40cvss 6.1epss 0.01
The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances.
- risk 0.40cvss 6.1epss 0.01
The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature.
- risk 0.34cvss 5.3epss 0.01
The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force protection, and more).
- risk 0.31cvss 4.7epss 0.01
The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to…
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall.This issue affects All In One WP Security & Firewall: from n/a through 5.2.6.
- risk 0.24cvss 3.7epss 0.00
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects All In One WP Security & Firewall: from n/a…
- CVE-2014-6242Oct 2, 2014risk 0.03cvss —epss 0.04
Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this…
- risk 0.00cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) plugin before 4.4.6 for WordPress.
- CVE-2015-0895Mar 7, 2015risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete logs of 404 (aka Not Found) HTTP status codes.
- CVE-2015-0894Mar 7, 2015risk 0.00cvss —epss 0.02
SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.