The WordPress security team took emergency measures and took advantage of a little-known internal feature to force the update of the popular plugin. For example, sites with the Loginizer plugin forcibly received an updated version 1.6.4, which contains fixes for six vulnerabilities that allow SQL injection and take over site control.
The plugin provides hardening of the security of authorization pages on WordPress sites. According to the official description, Loginizer is able to block access to authorization pages from blacklisted IP addresses, add support for two-factor authentication, add CAPTCHAs, etc. Loginizer is currently one of the most popular WordPress plugins - it is installed on over 1 million sites.
Security researcher Slavco Mihajloski discovered dangerous vulnerabilities in the plugin this week . The problem is related to the default protection against brute force attacks implemented in Loginizer. In order to exploit it, an attacker could try to log into the WordPress site using a malicious username that includes SQL statements. When the authorization process fails, the Loginizer records the authorization attempt in the site's database along with the username.
The plugin does not properly validate the username and leaves the SQL statements intact, allowing a remote attacker to run code to attack the WordPress database (perform SQL injection).
Mikhailovski has provided a description of the attack and a simple PoC script here .
The vulnerability is one of the most serious WordPress plugin vulnerabilities in the past few years, and the WordPress security team went to extreme measures to force an update. The push-to-install feature has been present in the WordPress codebase since version 3.7, released in 2013, but is rarely used.