This week, the WordPress developers were forced to go to extreme measures and take a very rare step: they forcibly updated the Loginizer plugin for all users to version 1.6.4.
Loginizer is one of the most popular WordPress plugins (over 1,000,000 installations) that aims to improve the security of the WordPress login page. So, it can be used to add IP addresses to the black or white list, you can add support for two-factor authentication or CAPTCHA to block automatic login attempts, and so on.Security researcher Slavco Mihajloski discovered a serious problem in Loginizer this week. According to the description of the bug, it is an SQL injection and is associated with the operation of the brute force protection mechanism, which is enabled by default for all sites on which the plugin is installed.
However, the plug-in does not perform the necessary cleanup of the username and leaves the SQL statements intact, allowing attackers to execute malicious code. Mihailoski writes that this gives any unauthenticated hacker the ability to completely compromise a WordPress site.
Since this vulnerability is definitely one of the most serious problems found in WordPress plugins in recent years, the CMS security team decided to force the spreading of the Loginizer version 1.6.4 all vulnerable sites.
Ryan Dewhurst, Founder and Head of WPScan, told ZDNet reporters that the forced plugin update feature has been present in the WordPress codebase since version 3.7, released in 2013, but it is rarely used.
Interestingly, WordPress core developer Samuel Wood claims that the feature has been used โmany times,โ although he does not disclose details. And in 2015, another WordPress developer stated that the force plugin update feature had only been used five times since its introduction in 2013.
It must be said that the WordPress developers try not to abuse this feature for good reason. So, after the forced update of Loginizer 1.6.4, users immediately started complaining and resenting on the plugin forum in the WordPress.org repository. The authors of the angry comments are perplexed as to how the plugin could update even with auto-update disabled.
In turn, Dewhurst believes that this feature is almost never used, as WordPress developers fear the risks associated with the distribution of a broken patch to a large number of users.
Let me remind you that we talked about vulnerability in WordPress wpDiscuz plugin, that leads to arbitrary code execution as well as vulnerabilities in WordPress Database Reset plugin, that allow hijacking a site or erasing all data.