WordPress deploys forced security update for dangerous bug in popular plugin
More than one million WordPress sites were running a vulnerable version of the Loginizer plugin
The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin.
WordPress sites running the Loginizer plugin were forcibly updated this week to Loginizer version 1.6.4.
This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.
Loginizer is one of today’s most popular WordPress plugins, with an installbase of over one million sites.
The plugin provides security enhancements for the WordPress login page. According to its official description, Loginizer can blacklist or whitelist IP address from accessing the WordPress login page, can add support for two-factor authentication, or can add simple CAPTCHAs to block automated login attempts, among many other features.
This week, security researcher Slavco Mihajloski disclosed a severe vulnerability in the Loginizer plugin.
According to a description provided by the WPScan WordPress vulnerability database, the security bug resides in Loginizer’s brute-force protection mechanism, enabled by default for all sites where Loginizer is installed.
To exploit this bug, an attacker can try to log into a WordPress site using a malformed WordPress username in which they can include SQL statements.
When the authentication fails, the Loginizer plugin will record this failed attempt in the WordPress site’s database, along with the failed username.