| Nombre del plugin | All In One WP Security & Firewall |
|---|---|
| Tipo de vulnerabilidad | XSS |
| Número CVE | CVE-2026-8438 |
| Urgencia | Medio |
| Fecha de publicación de CVE | 2026-06-09 |
| URL de origen | CVE-2026-8438 |
Unauthenticated Stored XSS in “All In One WP Security & Firewall” (≤ 5.4.7) — What Site Owners Must Know
Note: This briefing is authored by practitioners experienced in running WAFs, incident response and hardening WordPress sites. It explains the unauthenticated stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-8438) affecting All In One WP Security & Firewall (≤ 5.4.7), and provides practical mitigation, detection and response steps you can implement immediately.
Resumen — Lo esencial
- Lo que sucedió: An unauthenticated stored XSS vulnerability (CVE-2026-8438) affects All In One WP Security & Firewall plugin versions up to and including 5.4.7.
- Riesgo: CVSS 7.1 (Medium). Stored XSS can execute arbitrary JavaScript in the context of users who view the injected content — frequently administrators or privileged users. Exploitation generally requires user interaction (e.g., an admin visiting or clicking a crafted link).
- Parchear: Upgrade the plugin to version 5.4.8 or later immediately.
- Mitigación a corto plazo: If you cannot patch right away, restrict access to wp-admin/plugin pages by IP, temporarily deactivate the plugin, or apply virtual patching via your WAF.
- Action for site owners: patch, audit for injected content, rotate credentials, review logs, and enable appropriate protective controls.
Por qué esta vulnerabilidad es importante
Stored XSS is a severe client-side vulnerability. Unlike reflected XSS, stored XSS persists in storage (database, logs, settings) and can affect many users over time. In WordPress, a stored XSS inside a plugin that touches admin-facing pages is particularly dangerous because:
- Admin pages are typically visited by site administrators and managers — high-value targets.
- Execution of arbitrary JavaScript in an admin’s browser can lead to full site takeover: creating posts, installing backdoors, creating admin users, changing options, or exfiltrating credentials/cookies.
- Because the vulnerability is unauthenticated, an attacker only needs to inject content that will later be displayed to a privileged user; no login is required to submit the payload.
Even if published advisories note that user interaction is required, attackers frequently accomplish that interaction through social engineering, crafted admin links, or compromised internal pages.
How attackers exploit this vulnerability (attack flow)
- Attacker crafts a payload containing malicious JavaScript to steal cookies, perform actions with the admin’s session, or inject further backdoors.
- They find an input endpoint in the vulnerable plugin where submitted content is stored without proper sanitization (settings fields, logs, notes, etc.).
- Attacker submits the payload (unauthenticated).
- When an administrator or privileged user visits the page that renders the stored content, the script executes in their browser.
- With code running in admin context, the attacker can perform authenticated actions, exfiltrate tokens, or pivot to internal systems accessible from the admin’s browser.
Pasos inmediatos para los propietarios del sitio
- Actualizar: Update All In One WP Security & Firewall to 5.4.8 or later immediately. Use the WordPress dashboard or your deployment process and verify the update completed.
-
Si no puedes aplicar el parche de inmediato:
- Desactive temporalmente el plugin vulnerable.
- Restrict access to wp-admin and plugin management pages by IP (server firewall, .htaccess, hosting control panel).
- Apply WAF virtual patches or rules to block likely payloads.
- Limit administrative access (disable remote admin where possible).
- Audite en busca de indicadores de compromiso:
