NinTechNet identified multiple XSS vulnerabilities in the All In One WP Security & Firewall v4.0.7 plugin.
The affected parameter was ‘tab’ (all pages):
/wp-admin/admin.php?page=aiowpsec&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_settings&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_useracc&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_userlogin&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_user_registration&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_database&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_filesystem&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_whois&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_blacklist&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_firewall&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_brute_force&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_spam&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_filescan&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_maintenance&tab=[XSS] /wp-admin/admin.php?page=aiowpsec_misc&tab=[XSS]
According to the author, the issue was patched in 4.0.8.