CVE-2026-8438
Deferred Deferred - Pending Action
Stored XSS in All-In-One Security WordPress Plugin

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: Wordfence

Description
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-8438
EUVD
EUVD-2026-34942
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence all_in_one_security to 5.4.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 5.4.7. This occurs because the plugin does not properly sanitize input in the get_rest_route() function and fails to escape output in the column_default() method of the debug log list table.

When the 'Disable REST API for non-logged in users' feature is enabled along with debug logging, an unauthenticated attacker can insert arbitrary HTML or JavaScript into the REST request path. This path is decoded and stored directly in the debug log without sanitization.

When an administrator views the debug log page, the malicious script executes in their browser, potentially allowing the attacker to steal security tokens (nonces), perform privileged actions, and possibly take over the entire site.

Impact Analysis

This vulnerability can lead to serious security impacts including unauthorized execution of JavaScript in an administrator's browser session.

  • The attacker can steal security tokens (nonces) used to protect against CSRF attacks.
  • The attacker can perform privileged AJAX or REST API actions without authentication.
  • There is a risk of full site compromise if the attacker leverages the vulnerability effectively.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart