The WordPress security team has pushed out a forced security upd ate for a popular WordPress plugin called Loginizer that has over one million active installs. This week, WordPress sites running Loginizer were automatically updated to Loginizer version 1.6.4, including sites that have been not se t to auto update.
Loginizer is a WordPress plugin which helps users fight against bruteforce attacks by blocking login for the IP after it reaches maximum retries allowed.
The forced update has been initiated due to a couple of flaws affecting the Loginizer plugin, one of which is a dangerous SQL injection issue (CVE-2020-27615) that can lead to complete takeover of the affected application.
The vulnerability exists due to insufficient sanitization of user-supplied data in "loginizer_login_failed" and "lz_valid_ip" functions within the brute force protection functionality. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Given the severity of this flaw, the WordPress security team has decided to push forced update to all sites running Loginizer on WordPress 3.7 and higher. This move caused backlash from some plugin’s users, because they had not initiated it themselves and had not activated automatic updates for plugins. After several users posted complains on the WordPress support forum, WordPress core developer Samuel Wood said that “WordPress.org has the ability to turn on auto-updates for security issues in plugins” and has used this capability many times.