CVE-2026-8438 davidanderson CVE debrief

Who should care

Administrators of WordPress sites using the All-In-One Security (AIOS) – Security and Firewall plugin, particularly those with versions up to and including 5.4.7, should be aware of this vulnerability. Unauthenticated attackers could exploit this vulnerability to inject arbitrary web scripts, potentially leading to nonce theft, privileged AJAX/REST actions, and full site compromise.

Technical summary

The vulnerability arises from insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. Specifically, when the 'Disable REST API for non-logged in users' feature and debug logging are enabled, an unauthenticated attacker can inject arbitrary HTML or JavaScript into the REST request path. This injected code is then stored in the database and executed in the administrator's browser session when viewing the debug log page.

Defensive priority

High

Recommended defensive actions

• Update the All-In-One Security (AIOS) – Security and Firewall plugin to a version beyond 5.4.7.
• Review and adjust the 'Disable REST API for non-logged in users' feature and debug logging settings as necessary.
• Monitor for suspicious activity, particularly injections of arbitrary scripts.

Evidence notes

Evidence from the National Vulnerability Database (NVD) and Wordfence security research indicates that this vulnerability could be exploited for Stored Cross-Site Scripting (XSS) attacks, potentially leading to significant compromise of WordPress sites using the affected plugin versions.

Official resources