Since version 5.5 of the content management system (cms) wordpress is possible to activate automatic updates not only for the cms itself, but also for plugins. Normally this is an optional configuration. In the case of the popular plugins loginizer, however, the wordpress team made an exception to the wordpress team: from safety reasons, she pushed loginizer 1.6.4 as compulsory updates to wp installations in which the plugin is installed. Admins potentially affected sites should nevertheless check whether the update has arrived at them.
Actually, the plugin loginizer, which is active in more than one million wp installations, has the task of protecting them from unauthorized login attempts. Among other things, it should ward off before brute force attacks by monitoring login experiments over certain ip addresses and blocking access when reaching a maximum access number. In the current case, however, a danger sql-injection bug in loginizer versions before 1.6.4 the complete login protection. An attacker had signed up without valid access data and thus can compromise the complete installation.
The bug was assigned the cve number cve-2020-27615.
Proof-of-concept code available
According to a short release of the lucke in the wpscan wordpress vulnerability database, the plugin logs login attempts with unknown usernames and stores them in a database in the backend. Due to missing control mechanisms, it was attackers up to the loginizer update to 1.6.4 apparently possible to install sql commands in invented usernames, which were then made to execution.
According to wordpress vulnerability database, a proof-of-concept should actually be published until early november. However, slavco mihajloski, the discoverer of lucke, has published the code already on wednesday – probably due to the automatically distributed update.
The code that allows the wordpress security team "forced updates" certainly, according to zdnn, should have been around since version 3.7 part of the wordpress codebase; however, so far only very rarely used it has been made.