WordPress Forcibly Updates Sites to Address Serious Vulnerability in Loginizer Plugin

In an unprecedented event, the WordPress Security team used the “forced update” functionality in WordPress to swiftly address CVE-2020-27615 by migrating Loginizer users to a patched version of the software.

On October 21, the developers of the WordPress Loginizer plugin, which offers protection against brute force attacks, published a blog post about a recent update to their plugin that addresses a severe vulnerability. The vulnerability was discovered and disclosed by a vulnerability researcher at WP Deeply, Slavco Mihajloski.

CVE-2020-27615 is a SQL injection (SQLi) vulnerability in the WordPress Loginizer plugin due to a lack of input sanitization. According to a blog post from Mihajloski, the vulnerability exists in two parts of the Loginizer plugin: the loginizer_login_failed function, which contains unsanitized database requests, and the lz_valid_ip function. Mihajloski notes the potential for a stored cross-site scripting (XSS) vulnerability as well.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.