22 October 2020

Loginizer WordPress plugin gets forced security update for severe SQL injection vulnerability


Loginizer WordPress plugin gets forced security update for severe SQL injection vulnerability

The WordPress security team has pushed out a forced security upd ate for a popular WordPress plugin called Loginizer that has over one million active installs. This week, WordPress sites running Loginizer were automatically updated to Loginizer version 1.6.4, including sites that have been not se t to auto update.

Loginizer is a WordPress plugin which helps users fight against bruteforce attacks by blocking login for the IP after it reaches maximum retries allowed.

The forced update has been initiated due to a couple of flaws affecting the Loginizer plugin, one of which is a dangerous SQL injection issue (CVE-2020-27615) that can lead to complete takeover of the affected application.

The vulnerability exists due to insufficient sanitization of user-supplied data in "loginizer_login_failed" and "lz_valid_ip" functions within the brute force protection functionality. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Given the severity of this flaw, the WordPress security team has decided to push forced update to all sites running Loginizer on WordPress 3.7 and higher. This move caused backlash from some plugin’s users, because they had not initiated it themselves and had not activated automatic updates for plugins. After several users posted complains on the WordPress support forum, WordPress core developer Samuel Wood said that “WordPress.org has the ability to turn on auto-updates for security issues in plugins” and has used this capability many times.

Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020