By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    What is an Exploit? -Kaspersky Daily
    8 months ago
    Darkhotel APT in luxury Asian hotels
    8 months ago
    Kaspersky Lab expert Andrey Pozhogin answers questions about ransomware
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    5 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    5 days ago
    Safeguards against firmware signed with stolen MSI keys
    7 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    7 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Keylogger found on 5500 sites running WordPress
    Keylogger found on 5500 sites running WordPress
    8 months ago
    Windows 11 build 22622.575 (KB5016694) releases in the Beta Channel
    8 months ago
    How to create restore point on Windows 11
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Nine years of Project Galileo and how the last year has changed it
    Nine years of Project Galileo and how the last year has changed it
    17 hours ago
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    4 days ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    5 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    5 days ago
    What is two-factor authentication | Kaspersky official blog
    1 week ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to add Vkontakte middle name?
    8 months ago
    How to prevent applications from running in the background on Windows 10?
    8 months ago
    Do you know how to reinstall Windows from a flash drive?
    8 months ago
    Latest News
    How to generate SSH keys on Windows 11
    7 hours ago
    How to enable file sharing on WSA for Windows 11
    7 hours ago
    How to add CPU, GPU, RAM widgets on Windows 11
    4 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: WordPress developers forcibly update a vulnerable plugin
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Wordpress Threats

WordPress developers forcibly update a vulnerable plugin

Tom Grant
Last updated: 10 October
Tom Grant 4 years ago
Share
4 Min Read

This week, the WordPress developers were forced to take extreme measures and take a very rare step: they forcefully updated the Loginizer plugin for all users to version 1.6.4. Loginizer is one of the most popular plugins for WordPress (over 1,000,000 installs), which aims to improve the security of the WordPress login page. For example, it can be used to blacklist or whitelist IP addresses, add support for two-factor authentication or CAPTCHA to block automatic login attempts, and so on. I found a serious problem in the Loginizer this week Information security researcher Slavko Mihajloski. According to the description of the bug, it is a SQL injection and is related to the operation of the brute force protection mechanism, which is enabled by default for all sites where the plugin is installed. To exploit this vulnerability , the attacker should attempt to log into the site using a username that is known to be invalid, where he can include SQL statements. When authentication fails, Loginizer will record this failed login attempt in the site database along with an invalid username. At the same time, the plugin does not perform the necessary cleaning of the username and leaves the SQL statements intact, which allows attackers to achieve the execution of malicious code. Mihajloski writes that because of this, any unauthenticated hacker has the opportunity to completely compromise a site running WordPress. Because this vulnerability is definitely one of the most serious problems found in WordPress plugins in recent years, the CMS security team decided to force Loginizer version 1.6.4 to all affected sites.

Ryan Dewhurst, founder and head of WPScan, told reporters ZDNet that the force plugin update feature has been in the WordPress codebase since version 3.7, released in 2013, but is rarely used.

“Vulnerability that I personally discovered in the popular Yoast SEO WordPress plugin in 2015, was forcibly fixed. Although the problem I found was not as dangerous as the problem in the Loginizer plugin. I am not aware of other [cases of forced plugin updates], but it is very likely that there have been some,” says Dewhurst.

Interestingly, WordPress core developer Samuel Wood assures that the function was used “many times“, although he does not elaborate. And in 2015, another WordPress developer claimed that the plugin forced update feature was used only five times since its introduction in 2013. It must be said that WordPress developers try not to abuse this feature for a reason. So, after the forced update of Loginizer 1.6.4, users immediately began to complain and resent on the plugin forum in the WordPress.org repository. Authors of angry comments are perplexed how the plugin could be updated even with auto-update disabled.

In turn, Dewhurst believes that this function is almost never used, because WordPress developers are afraid of the risks associated with distributing a non-working patch to a large number of users.


Source: xaker.ru

Translate this article

TAGGED: Authentication, Phishing, PoC, Security, SQL injection, WordPress, WordPress plugins
Tom Grant October 10, 2022 September 30, 2019
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

How to generate SSH keys on Windows 11
News 10 hours ago
How to enable file sharing on WSA for Windows 11
News 10 hours ago
Nine years of Project Galileo and how the last year has changed it
Nine years of Project Galileo and how the last year has changed it
Apps 17 hours ago
Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 4 days ago
How to add CPU, GPU, RAM widgets on Windows 11
News 5 days ago

Recent Posts

  • How to generate SSH keys on Windows 11
  • How to enable file sharing on WSA for Windows 11
  • Nine years of Project Galileo and how the last year has changed it
  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11

You Might Also Like

News

How to generate SSH keys on Windows 11

10 hours ago
Nine years of Project Galileo and how the last year has changed it
Apps

Nine years of Project Galileo and how the last year has changed it

17 hours ago
Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

4 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Apps

Reduce latency and increase cache hits with Regional Tiered Cache

5 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Previous Next
Hot News
How to generate SSH keys on Windows 11
How to enable file sharing on WSA for Windows 11
Nine years of Project Galileo and how the last year has changed it
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?