WordPress implements forced security update for dangerous bug in popular plugin
The WordPress security team took a rare step last week, using a lesser-known internal capability to forcibly push a security update for a popular plugin.
WordPress sites with the loginizerplugin were forcibly updated to Loginizer 1.6.4 this week. This version included a security fix for a dangerous SQL injection error allowing hackers to take over WordPress sites with older versions of the Loginizer plugin.
Loginizer is one of the most popular WordPress plugins right now, with an install base of over a million sites.
The plugin provides security improvements for the WordPress login page. According to the official description, Loginizer can blacklist or whitelist IP addresses to access the WordPress login page, add support for two-factor authentication, or add simple CAPTCHAs to block automated login attempts, among many other features.
SQL INJECTION DISCOVERED IN LOGINIZER
This week, security researcher Slavco Mihajloski revealed a serious vulnerability in the Loginizer plugin. According to a description of the WPScan WordPress vulnerability database, the security bug resides in Loginizer's brute-force protection mechanism, which is enabled by default for all sites with Loginizer installed.
To exploit this bug, an attacker could try to log into a WordPress site with a misformatted WordPress username that can contain SQL statements. When the authentication fails, the Loginizer plugin logs this failed attempt in the WordPress site's database along with the failed username.
But as Slavco and WPScan explain, the plugin doesn't sanitize the username and leaves the SQL statements intact, allowing remote attackers to run code against the WordPress database — in what security researchers call an unauthenticated SQL injection attack.
It allows any unauthenticated attacker to completely compromise a WordPress website,” Ryan Dewhurst, founder and CEO of WPScan, told a press conference today. e-mail to ZDNet.
“This could put anyone with some basic command-line skills at risk for a WordPress website,” said security researcher Dewhurst.
FORCED PLUGIN UPDATE RECEIVES PUBLIC BACKLASH
The bug is one of the worst security vulnerabilities discovered in WordPress plugins in recent years, which is why the WordPress security team seems to have decided to forcibly push the Loginizer 1.6.4 patch to all affected sites.
Dewhurst told ZDNet that this "forced plugin update" feature is present in the WordPress codebase since v3.7, released in 2013; however, it has been used very rarely.” A vulnerability I discovered myself in the popular Yoast SEO WordPress plugin in 2015 was forcibly updated. Although the vulnerability I discovered was not nearly as dangerous as the one discovered in the Loginizer WordPress plugin,” said Dewhurst.
“I'm not aware of any other [cases of forced plugin updates], but it's very likely that there have been others,” the WPScan founder added.
But there's a reason the WordPress security team doesn't use this feature for all plugin vulnerabilities and only for the bad ones. As soon as the Loginizer 1.6.4 patch hit WordPress sites last week, users started complaining on the plugin forum in the WordPress.org repository.
“Loginizer automatically updated from 1.6.3 to 1.6.4, although I did NOT activate this new WordPress option. How is it possible?” asked one disgruntled user. “I also have the same question. It's happened on 3 websites I run, none of which are set to update automatically," said another.
Dewhurst believes the feature isn't being used more widely, as the WordPress team fears the "risks of passing a broken patch on to so many users."
WordPress core developer Samuel Wood said this week that the feature was used "often" but didn't provide details about other instances where it was used. In 2015, another WordPress developer said that the plugin's forced update feature has only been used five times since its launch in 2013, confirming that this feature is only used for the critical bugs that affect millions of sites, not just the plugin vulnerability.
WordPress maintenance outsourcing
next to our WordPress maintenance service, you can also send your at Flexamedia make your website secure. This way you are assured of a solid security system and you will not be bothered by any cyber attacks from outside.
Moreover, most hackers and cyber criminals don't stand a chance this way. It takes hackers too much time and effort to penetrate your website at all.
We take care of the most professional protection of your website so that you no longer have to worry about the security of your data.
