WordPress Plugin Flaw Results in Forced Updates

Security Flaws

A security flaw leads to forced updates for over one million WordPress users

 

A WordPress plugin was recently exposed to security flaw that left users websites vulnerable to attack. In order to stop the issue from getting out of hand, WordPress issued forced updates on third-party websites to prevent hackers from exploiting the bug.  

The plugin, Loginizer, is a suite by Softaculous that adds many security features to your website, including brute force protectionThis protection gives hackers a limited number of unsuccessful login attempts before it blocks them from logging in at all. Brute force hackers try to get into your website by spamming usernames and/or passwords until they get them correct, and Loginizer prevents this. The free verion of the plugin is used by over one million WordPress users.  

After a recent update to Loginizer, researcher Slavo Mihajloski discovered the feature could be bypassed using special usernames.  

After learning of the issue, Loginizer and WordPress worked together to give updates for users who were exposed to the flaw. Fortunately for many, they were able to resolve many cases quickly without any trouble.  

Mihajiloski, who discovered the bug, questioned WordPress’s transparency related to security issues, saying, ”There isn’t any statement or document about who, how and when decides about and performs automatic updates.  

He brings up a good pointEven with their intention to solve a security issue, the situation raises questions regarding the rights of WordPress to update third-party websites without permission. The update they gave involved changing code, and this could be a major breach of rights. 

Issues like these are reminders of the inherent vulnerabilities on the internet. Many website owners forget their websites hold valuable information, and having strong security is essential. 

Loginizer is now updated and secure. If you have it installed on your website, it’s recommended you update to version 1.6.4. 

News More