Last week an SQL injection vulnerability was discovered in the popular Loginizer plugin used by over a million WordPress sites. Such was the risk, WordPress took the unusual step of forcing updates into sites that use the plug-in – even those with auto-update turned off.
The flaw in Loginizer can be exploited by an attacker trying to login with a specially crafted username. Vulnerable versions of Loginizer do not correctly sanitise the username allowing it to be used for an SQL injection or Cross-Site Scripting attack. The patched version of Loginizer is version 1.6.4, if you are not already running it a prompt update is recommended. Proof of concept attack code is due to be published on 4th November 2020.
Since WordPress version 3.7, there has been the ability for WordPress to force update third party plugins – even if auto-update is disabled in the WordPress configuration.
Every plug-in added to WordPress (or similar systems) increases it’s attack surface and the opportunity for attackers to find a vulnerability that can be exploited. System Administrators should regularly review the plug-ins installed and disable and remove any that are not required.