Saturday, April 10, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

WordPress deploys forced security update for dangerous bug in popular plugin

October 22, 2020
in Internet Security
WordPress deploys forced security update for dangerous bug in popular plugin
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

The WordPress security team has taken a rare step last week and used a lesser-known internal capability to forcibly push a security update for a popular plugin.

WordPress sites running the Loginizer plugin were forcibly updated this week to Loginizer version 1.6.4.

You might also like

Washington State educational organizations targeted in cryptojacking spree

Critical Zoom vulnerability triggers remote code execution without user input

Nation-state cyber attacks targeting businesses are on the rise

This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.

Loginizer is one of today’s most popular WordPress plugins, with an installbase of over one million sites.

The plugin provides security enhancements for the WordPress login page. According to its official description, Loginizer can blacklist or whitelist IP address from accessing the WordPress login page, can add support for two-factor authentication, or can add simple CAPTCHAs to block automated login attempts, among many other features.

SQL injection discovered in Loginizer

This week, security researcher Slavco Mihajloski disclosed a severe vulnerability in the Loginizer plugin.

According to a description provided by the WPScan WordPress vulnerability database, the security bug resides in Loginizer’s brute-force protection mechanism, enabled by default for all sites where Loginizer is installed.

To exploit this bug, an attacker can try to log into a WordPress site using a malformed WordPress username in which they can include SQL statements.

When the authentication fails, the Loginizer plugin will record this failed attempt in the WordPress site’s database, along with the failed username.

But as Slavco and WPScan explain, the plugin doesn’t sanitize the username and leaves the SQL statements intact, allowing remote attackers to run code against the WordPress database — in what security researchers refer to as an unauthenticated SQL injection attack.

“It allows any unauthenticated attacker to completely compromise a WordPress website,” Ryan Dewhurst, Founder & CEO of WPScan, told ZDNet in an email today.

Dewhurst also pointed out that Mihajloski provided a simple proof-of-concept script in a detailed write-up published earlier today.

“This allows anyone with some basic command-line skills to completely compromise a WordPress website,” Dewhurst said.

Forced plugin update receives public backlash

The bug is one of the worst security issues discovered in WordPress plugins in recent years, and it’s why the WordPress security team appears to have decided to forcibly push the Loginizer 1.6.4 patch to all affected sites.

Dewhurst told ZDNet that this “forced plugin update” feature has been present in the WordPress codebase since v3.7, released in 2013; however, it has used very rarely.

“A vulnerability I myself discovered in the popular Yoast SEO WordPress plugin back in 2015 was forcibly updated. Although, the one I discovered was not nearly as dangerous as the one discovered within the Loginizer WordPress plugin,” Dewhurst said.

“I’m not aware of any other [cases of forced plugin updates], but it is very likely that there have been others,” the WPScan founder added.

But there’s a reason why the WordPress security team doesn’t use this feature for all plugin vulnerabilities and uses this only for the bad bugs.

As soon as the Loginizer 1.6.4 patch started reaching WordPress sites last week, users started complaining on the plugin’s forum on the WordPress.org repository.

“Loginizer has been updated from 1.6.3 to 1.6.4 automatically although I had NOT activated this new WordPress option. How is it possible?,” asked one disgruntled user.

“I have the same question too. It has happened on 3 websites I look after of which none of them have been set to auto update,” said another.

Similar negative feedback was also seen back in 2015 when Dewhurst first saw the plugin forced update feature being deployed by the WordPress team.

The more I think about it, the more infuriating the auto-update of WP SEO gets.

— My name is Doug, I have just met you, & I LOVE YOU (@zamoose) March 12, 2015

Dewhurst believes the feature isn’t more broadly used because the WordPress team fears the “risks of pushing a broken patch to so many users.”

WordPress core developer Samuel Wood said this week the feature was used “many times” but did not provide details about other instances where it was used. In 2015, another WordPress developer said the plugin forced update feature was used only five times since it launched in 2013, confirming that this feature is only used for the critical bugs only, those impacting millions of sites, and not just any plugin vulnerability.


Credit: Zdnet

Previous Post

New Chrome 0-day Under Active Attacks – Update Your Browser Now

Next Post

The ROI of SEO Campaigns

Related Posts

Washington State educational organizations targeted in cryptojacking spree
Internet Security

Washington State educational organizations targeted in cryptojacking spree

April 10, 2021
Critical Zoom vulnerability triggers remote code execution without user input
Internet Security

Critical Zoom vulnerability triggers remote code execution without user input

April 10, 2021
Nation-state cyber attacks targeting businesses are on the rise
Internet Security

Nation-state cyber attacks targeting businesses are on the rise

April 10, 2021
These are the terrible passwords that people are still using. Here’s how to do better
Internet Security

These are the terrible passwords that people are still using. Here’s how to do better

April 9, 2021
Why do phishing attacks work? Blame the humans, not the technology
Internet Security

Why do phishing attacks work? Blame the humans, not the technology

April 9, 2021
Next Post
The ROI of SEO Campaigns

The ROI of SEO Campaigns

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Machine Learning in Finance Market is exclusively demanding in forecast 2029 | Ignite Ltd, Yodlee, Trill A.I., MindTitan, Accenture, ZestFinance – KSU
Machine Learning

Machine Learning in Finance Market is exclusively demanding in forecast 2029 | Ignite Ltd, Yodlee, Trill A.I., MindTitan, Accenture, ZestFinance – KSU

April 10, 2021
Vue.js vs AngularJS Development in 2021: Side-by-Side Comparison
Data Science

Vue.js vs AngularJS Development in 2021: Side-by-Side Comparison

April 10, 2021
IBM releases Qiskit modules that use quantum computers to improve machine learning
Machine Learning

IBM releases Qiskit modules that use quantum computers to improve machine learning

April 10, 2021
Hackers Tampered With APKPure Store to Distribute Malware Apps
Internet Privacy

Hackers Tampered With APKPure Store to Distribute Malware Apps

April 10, 2021
5 Dominating IoT Trends Positively Impacting Telecom Sector in 2021
Data Science

5 Dominating IoT Trends Positively Impacting Telecom Sector in 2021

April 10, 2021
One-stop machine learning platform turns health care data into insights | MIT News
Machine Learning

One-stop machine learning platform turns health care data into insights | MIT News

April 10, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Machine Learning in Finance Market is exclusively demanding in forecast 2029 | Ignite Ltd, Yodlee, Trill A.I., MindTitan, Accenture, ZestFinance – KSU April 10, 2021
  • Vue.js vs AngularJS Development in 2021: Side-by-Side Comparison April 10, 2021
  • IBM releases Qiskit modules that use quantum computers to improve machine learning April 10, 2021
  • Hackers Tampered With APKPure Store to Distribute Malware Apps April 10, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates