CVE-2026-8438: All-In-One Security Plugin Stored XSS in Debug Logs
The All-In-One Security (AIOS) WordPress plugin contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 5.4.7. An unauthenticated attacker can inject malicious JavaScript into debug logs by crafting specially designed REST API requests. When site administrators view the debug logs page, the injected script executes in their browser, potentially allowing the attacker to steal session credentials, execute unauthorized actions, or compromise the entire WordPress site. The vulnerability requires two specific plugin features to be enabled: the 'Disable REST API for non-logged in users' setting and debug logging.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.
10 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8438 is a stored XSS vulnerability in the AIOS plugin's debug logging mechanism. The root cause lies in two implementation gaps: (1) the get_rest_route() function retrieves and URL-decodes the REQUEST_URI without sanitizing the result, and (2) the column_default() method in the debug log list table fails to escape output before display. When an unauthenticated attacker sends a request with URL-encoded HTML or JavaScript in the path and both the aiowps_disallow_unauthorized_rest_requests and aiowps_enable_debug options are active, the decoded payload is written verbatim to the debug log in the database. Upon administrator access to the Debug Logs page, the unsanitized value flows through the list table rendering without escaping, causing browser execution of the stored payload. This attack chain bypasses the REST API restriction by exploiting the logging function itself rather than requiring authentication.
Business impact
Stored XSS vulnerabilities in WordPress admin panels pose direct operational and security risks. An attacker can harvest administrator session tokens or nonces, then use those stolen credentials to perform privileged actions such as creating malicious user accounts, installing backdoored plugins, or modifying site content. The attack surface is particularly broad because triggering the vulnerability requires only a single unauthenticated HTTP request—no user interaction beyond normal site administration is needed. For multi-site WordPress installations, compromise of an administrator session can lead to lateral movement across multiple properties. Organizations relying on AIOS for security hardening face the irony of a security plugin becoming an attack vector if left unpatched.
Affected systems
WordPress installations running All-In-One Security (AIOS) plugin version 5.4.7 and earlier are affected. The vulnerability is only exploitable when both of the following plugin settings are enabled: 'Disable REST API for non-logged in users' and debug logging. Sites with only one of these features enabled are not vulnerable. Since AIOS is a free plugin available on the WordPress plugin repository, exposure is potentially widespread across small-to-medium business WordPress sites and shared hosting environments.
Exploitability
The vulnerability is straightforward to exploit. An attacker needs only to craft an HTTP request with URL-encoded JavaScript in the path—no authentication, no user interaction, and no complex pre-conditions beyond the two plugin settings being enabled. The CVSS score of 7.2 reflects the high accessibility (network-based, low complexity, no privileges required) and the fact that exploitation does not require administrator clicks or social engineering. However, the payload must persist and be viewed by an administrator for the attack to succeed, and administrators must have access to the Debug Logs page. Detection by the attacker cannot be guaranteed without additional reconnaissance.
Remediation
Update the All-In-One Security plugin to a patched version that sanitizes the REQUEST_URI in the get_rest_route() function and applies proper output escaping in the column_default() method. Verify the patch version against the official AIOS plugin repository or vendor advisory. As an interim measure, if immediate patching is not possible, disable either the 'Disable REST API for non-logged in users' feature or debug logging—doing so will prevent the vulnerability from being triggered, though this may impact your intended security posture or troubleshooting capability.
Patch guidance
Check the All-In-One Security plugin's release notes and security advisories on the official WordPress plugin repository or the plugin vendor's website for the first version that addresses CVE-2026-8438. Enable automatic plugin updates in WordPress to receive patches promptly, or manually update the plugin from the Plugins page in the WordPress admin dashboard. After updating, verify that both the 'Disable REST API for non-logged in users' and debug logging features are configured according to your security requirements; patching removes the vulnerability, but re-enabling these features is safe only after the patch is applied.
Detection guidance
Search your WordPress debug logs and web server access logs for requests containing URL-encoded characters followed by angle brackets or script tags in the REQUEST_URI—patterns such as %3C%73%63%72%69%70%74 (encoded '<script') are indicators of potential exploitation attempts. Monitor the AIOS Debug Logs page for entries containing raw HTML or JavaScript; legitimate debug entries should not include such content. If you have access to the WordPress database, query the debug log table for rows containing '<script', '<iframe', 'javascript:', or other XSS payloads. Note any timestamps and cross-reference them with administrator login records to determine if malicious sessions were created. Web application firewalls (WAF) can be configured to flag requests with URL-encoded script tags in the path.
Why prioritize this
Although CVE-2026-8438 is not yet listed in CISA's Known Exploited Vulnerabilities catalog, the combination of high CVSS score (7.2), zero authentication requirement, and the ubiquity of WordPress as a platform makes this a medium-to-high priority for patching. Organizations using AIOS should treat this as urgent if the plugin is active with debug logging enabled, as an unauthenticated remote attacker can directly inject malicious code into administrator sessions. The stored nature of the XSS also means that other administrators could be compromised by simply checking logs after an attack occurs, multiplying the blast radius.
Risk score, explained
The CVSS 3.1 score of 7.2 (HIGH) reflects: Attack Vector = Network (anyone on the internet can send a request), Attack Complexity = Low (no special conditions or timing required beyond enabling two plugin settings), Privileges Required = None (no authentication needed), User Interaction = None (payload executes when admin views logs, not requiring additional clicks), Scope = Changed (the attacker's impact extends beyond the AIOS plugin to the full WordPress site and potentially the WordPress network), Confidentiality = Low (session tokens and credentials can be exfiltrated), and Integrity = Low (site content and configuration can be modified). The score does not include Availability impact because the vulnerability does not directly crash or disable services, though a compromised site could suffer availability degradation from malicious changes.
Frequently asked questions
Does this vulnerability affect WordPress sites that do not use the All-In-One Security plugin?
No. CVE-2026-8438 is specific to the AIOS plugin. Sites using other security or firewall plugins, or no third-party security plugin at all, are not affected.
What if I have the AIOS plugin installed but only one of the two required features is enabled—either debug logging or the REST API restriction, but not both?
The vulnerability cannot be triggered if only one setting is enabled. Both 'Disable REST API for non-logged in users' and debug logging must be active simultaneously for the attack to work. However, you should still apply the patch for defense-in-depth, in case a future feature or configuration change reintroduces risk.
Can an attacker steal my administrator password with this vulnerability?
Not directly. However, the attacker can steal session nonces and authentication tokens that remain valid for the duration of the administrator's logged-in session. Using these tokens, the attacker can perform any action the administrator can perform, including changing passwords or creating new administrative accounts. The net effect is equivalent to account compromise.
How can I tell if my site has already been attacked via this vulnerability?
Review your AIOS Debug Logs page for entries containing HTML, JavaScript, or unusual characters that appear out of place in normal debug output. Check your WordPress user accounts for unfamiliar administrator or editor accounts created around the time of potential exploitation. Review administrator login records and session logs if available. If you suspect compromise, consider running a WordPress security scanner and consulting a security professional.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. The information herein is based on publicly disclosed vulnerability data as of the publication date and should not be considered exhaustive or a substitute for vendor security advisories. Always verify patch availability and version numbers against official vendor channels before deploying updates. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this intelligence. Organizations are responsible for conducting their own risk assessments and security testing in their environments. Exploit code, proof-of-concept demonstrations, or attack methodology details are not provided herein; such information may be available through other security research channels and should be handled with appropriate caution and legal consideration. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)