22 October 2020

Loginizer WordPress plugin gets forced security update for severe SQL injection vulnerability


Loginizer WordPress plugin gets forced security update for severe SQL injection vulnerability

The WordPress security team has pushed out a forced security upd ate for a popular WordPress plugin called Loginizer that has over one million active installs. This week, WordPress sites running Loginizer were automatically updated to Loginizer version 1.6.4, including sites that have been not se t to auto update.

Loginizer is a WordPress plugin which helps users fight against bruteforce attacks by blocking login for the IP after it reaches maximum retries allowed.

The forced update has been initiated due to a couple of flaws affecting the Loginizer plugin, one of which is a dangerous SQL injection issue (CVE-2020-27615) that can lead to complete takeover of the affected application.

The vulnerability exists due to insufficient sanitization of user-supplied data in "loginizer_login_failed" and "lz_valid_ip" functions within the brute force protection functionality. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Given the severity of this flaw, the WordPress security team has decided to push forced update to all sites running Loginizer on WordPress 3.7 and higher. This move caused backlash from some plugin’s users, because they had not initiated it themselves and had not activated automatic updates for plugins. After several users posted complains on the WordPress support forum, WordPress core developer Samuel Wood said that “WordPress.org has the ability to turn on auto-updates for security issues in plugins” and has used this capability many times.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024