WordPress forced over one million websites that use Loginizer plugin to update to version 1.6.4. The older version had a dangerous SQL injection bug which could allow attackers to take over the sites. The popular plugin offers enhanced security for the WordPress login page. It is capable of blacklisting or whitelisting IP addresses, add two-factor authentication, and add CAPTHCA to WordPress pages.
SQL injection bug
WPScan stated that the critical bug resides in the plugins brute-force protection module, which is enabled by default when the plugin is installed. Attackers can try logging in to a WordPress site with a malformed username with SQL statements. Loginizer records the failed attempt without sanitizing the username and adds the username that includes SQL injection to its database. The Loginizer team also stated,
“WordPress team helped auto upgrading Loginizer plugin to 1.6.4 for a large percentage of users even for users who did not enable auto upgrade because this was a security fix. We also pushed the security upgrade via Softaculous so the WordPress installations done by Softaculous and having Loginizer were upgraded automatically. These two options helped upgrade a large portion of installations.”