This week, the WordPress developers were forced to go to extreme measures and take a very rare step: they forcibly updated the Loginizer plugin for all users to version 1.6.4.
Loginizer is one of the most popular WordPress plugins (over 1,000,000 installations) that aims to improve the security of your WordPress login page. So, it can be used to add IP addresses to the black or white list, you can add support for two-factor authentication or CAPTCHA to block automatic login attempts, and so on.
Serious issue in Loginizer this week discovered Information security researcher Slavco Mihajloski. According to description of the bug, It is a SQL injection and is associated with the operation of the brute force protection mechanism, which is enabled by default for all sites on which the plugin is installed.
To exploit this vulnerability, an attacker would have to try to log into the site using an incorrect username, where he could include SQL statements. When authentication fails, the Loginizer will record this unsuccessful attempt to log into the site's database along with an invalid username. The plugin does not perform the necessary cleanup of the username and leaves the SQL statements intact, allowing attackers to execute malicious code. Mikhailoski writesthat because of this, any unauthenticated hacker gets the opportunity to completely compromise a WordPress site.
Since this vulnerability is definitely one of the most serious problems found in WordPress plugins in recent years, the CMS security team decided to force the Loginizer version 1.6.4 to be propagated to all vulnerable sites.
Ryan Dewhurst, founder and head of WPScan, told reporters ZDNetthat the function of forced update of plugins has been present in the WordPress codebase since version 3.7, released in 2013, but it is rarely used.
“A vulnerability that I personally discovered in the popular Yoast SEO WordPress plugin in 2015 was force-fixed. Although the problem I discovered was not nearly as dangerous as the problem in the Loginizer plugin. I am not aware of others (cases of forced update of plugins), but it is very likely that there were some, ”says Dewhurst.
Interestingly, WordPress core developer Samuel Wood assures that this feature was used “many times”, Although he did not specify details. And in 2015, another WordPress developer stated that the force plugin update feature was being used only five times since its inception in 2013.
It must be said that the WordPress developers try not to abuse this feature for good reason. So, after the forced update of Loginizer 1.6.4, users immediately started complaining and resenting on the plugin forum in the WordPress.org repository. Authors of angry comments perplexedhow the plugin could update even if auto-update was disabled.
In turn, Dewhurst believes that this feature is almost never used, as WordPress developers fear the risks associated with the distribution of a broken patch to a large number of users.