This week, the WordPress developers were forced to take extreme measures and take a very rare step: they forcefully updated the Loginizer plugin for all users to version 1.6.4. Loginizer is one of the most popular plugins for WordPress (over 1,000,000 installs), which aims to improve the security of the WordPress login page. For example, it can be used to blacklist or whitelist IP addresses, add support for two-factor authentication or CAPTCHA to block automatic login attempts, and so on. I found a serious problem in the Loginizer this week Information security researcher Slavko Mihajloski. According to the description of the bug, it is a SQL injection and is related to the operation of the brute force protection mechanism, which is enabled by default for all sites where the plugin is installed. To exploit this vulnerability , the attacker should attempt to log into the site using a username that is known to be invalid, where he can include SQL statements. When authentication fails, Loginizer will record this failed login attempt in the site database along with an invalid username. At the same time, the plugin does not perform the necessary cleaning of the username and leaves the SQL statements intact, which allows attackers to achieve the execution of malicious code. Mihajloski writes that because of this, any unauthenticated hacker has the opportunity to completely compromise a site running WordPress. Because this vulnerability is definitely one of the most serious problems found in WordPress plugins in recent years, the CMS security team decided to force Loginizer version 1.6.4 to all affected sites.
Ryan Dewhurst, founder and head of WPScan, told reporters ZDNet that the force plugin update feature has been in the WordPress codebase since version 3.7, released in 2013, but is rarely used.
“Vulnerability that I personally discovered in the popular Yoast SEO WordPress plugin in 2015, was forcibly fixed. Although the problem I found was not as dangerous as the problem in the Loginizer plugin. I am not aware of other [cases of forced plugin updates], but it is very likely that there have been some,” says Dewhurst.
Interestingly, WordPress core developer Samuel Wood assures that the function was used “many times“, although he does not elaborate. And in 2015, another WordPress developer claimed that the plugin forced update feature was used only five times since its introduction in 2013. It must be said that WordPress developers try not to abuse this feature for a reason. So, after the forced update of Loginizer 1.6.4, users immediately began to complain and resent on the plugin forum in the WordPress.org repository. Authors of angry comments are perplexed how the plugin could be updated even with auto-update disabled.