CVE-2026-8438: All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.
Metrics
- CVSS v3.1
- 7.2
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Stored cross-site scripting (XSS) in the All-In-One Security (AIOS) plugin for WordPress allows an unauthenticated attacker to inject arbitrary JavaScript via a crafted REST API request path. The plugin's debug logging feature decodes and stores the raw request URI without sanitization, then an admin page renders that value without escaping. When an administrator views the Debug Logs page, the stored script executes in their browser, enabling session hijacking, privileged action execution, and full site compromise. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.
HarborGuard Coverage
Detection of CVE-2026-8438 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images and pipeline builds, including custom WordPress-based images that bundle the AIOS plugin.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.2 HIGH and weighting it against each environment's compliance policy to determine urgency and route alerts to the appropriate team inbox within each customer organization.
AvailableBecause no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version appears. In the interim, customers can use HarborGuard policy controls to flag any image containing AIOS 5.4.7 or earlier as non-compliant and block it from promotion to production.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker sends a crafted HTTP request to the WordPress REST API endpoint over the network; no physical or local access is needed.
- AuthenticationNot required
No account or credentials of any kind are required; the malicious payload is embedded in an unauthenticated REST API request path.
- Victim interactionNot required
No victim interaction is required to store the payload; however, the stored script executes automatically when any administrator navigates to the Debug Logs page, which is a normal administrative workflow rather than a social-engineering step.
- Attack complexityDetail
Exploitation is straightforward and condition-free: the attacker URL-encodes an XSS payload in the request path, and the plugin's own decoding step converts it to executable HTML without any race condition or special environmental requirement.
Blast Radius
- Reads the administrator's active session nonce, enabling the attacker to forge authenticated AJAX and REST API requests on behalf of that administrator.
- Executes privileged WordPress actions such as creating administrator accounts, installing plugins, or modifying site options within the administrator's browser session.
- Exfiltrates sensitive data visible on the WordPress dashboard, including user records and configuration details, to an attacker-controlled endpoint.
- Enables full site compromise by chaining nonce theft with plugin installation or settings modification, giving the attacker persistent backdoor access.
How HarborGuard Handles This
Available on HarborGuard: because no upstream patch exists for CVE-2026-8438 as of publication, HarborGuard continuously re-checks the Wordfence advisory feed on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released. For environments with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. In the interim, customers can apply compensating controls through HarborGuard policy: flag any image containing AIOS version 5.4.7 or earlier as non-compliant, block it from promotion past staging gates, and consider network-policy isolation for WordPress workloads to limit which internal services are reachable from the public REST API surface. Where the AIOS debug logging feature (aiowps_enable_debug) can be disabled at the application configuration level, doing so removes the storage mechanism that makes exploitation possible, and HarborGuard's configuration-drift detection can alert if that setting is re-enabled.
- davidanderson / All-In-One Security (AIOS) – Security and Firewall≤ 5.4.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N