WordPress developers forcibly updated vulnerable Loginizer plugin

WordPress forcibly updated Loginizer
Written by Emma Davis

This week, the WordPress developers were forced to go to extreme measures and take a very rare step: they forcibly updated the Loginizer plugin for all users to version 1.6.4.

Loginizer is one of the most popular WordPress plugins (over 1,000,000 installations) that aims to improve the security of WordPress login page. So, it can be used to add IP addresses to the black or white list, you can add support for two-factor authentication or CAPTCHA to block automatic login attempts, and so on.

Security researcher Slavco Mihajloski discovered a serious problem in Loginizer this week. According to the description of the bug, it is an SQL injection and is associated with the operation of the brute force protection mechanism, which is enabled by default for all sites on which the plugin is installed.

To exploit this vulnerability, an attacker would have to try to log into the site using a knowingly incorrect username, where he could include SQL statements. When authentication fails, the Loginizer will note this unsuccessful attempt to log into the site’s database along with an invalid username.says Slavco Mihajloski.

However, the plug-in does not perform the necessary cleanup of the username and leaves the SQL statements intact, allowing attackers to execute malicious code. Mihailoski writes that this gives any unauthenticated hacker the ability to completely compromise a WordPress site.

Since this vulnerability is definitely one of the most serious problems found in WordPress plugins in recent years, the CMS security team decided to force spreading of the Loginizer version 1.6.4 all vulnerable sites.

Ryan Dewhurst, Founder and Head of WPScan, told ZDNet reporters that the forced plugin update feature has been present in the WordPress codebase since version 3.7, released in 2013, but it is rarely used.

A vulnerability that I personally discovered in the popular Yoast SEO WordPress plugin in 2015 was force-fixed. Although the problem I found was not as dangerous as the problem in the Loginizer plugin. I’m not aware of any other [forced update of plugins], but it is very likely that there were.says Dewhurst.

Interestingly, WordPress core developer Samuel Wood claims that the feature has been used โ€œmany times,โ€ although he does not disclose details. And in 2015, another WordPress developer stated that the force plugin update feature had only been used five times since its introduction in 2013.

It must be said that the WordPress developers try not to abuse this feature for good reason. So, after the forced update of Loginizer 1.6.4, users immediately started complaining and resenting on the plugin forum in the WordPress.org repository. The authors of the angry comments are perplexed as to how the plugin could update even with auto-update disabled.

In turn, Dewhurst believes that this feature is almost never used, as WordPress developers fear the risks associated with the distribution of a broken patch to a large number of users.

Let me remind you that we talked about vulnerability in WordPress wpDiscuz plugin, that leads to arbitrary code execution as well as vulnerabilities in WordPress Database Reset plugin, that allow hijacking a site or erasing all data.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.