The All-In-One Security (AIOS) WordPress plugin was found to be logging plaintext passwords from login attempts.
Installed on more than one million WordPress sites, the security and firewall plugin was designed to prevent cyberattacks such as brute-force attempts, warn when the default admin username is used for login, prevent bot attacks, log user activity, and eliminate comment spam.