We released Loginizer 1.6.4 on 16th October 2020 which includes two security issues fixed.
Please check if you are running running 1.6.4, if not we recommend you to upgrade to 1.6.4 immediately.
We did not disclose the details about security fix earlier so the users get time to upgrade the plugin in their WordPress installations.
WordPress team helped auto upgrading Loginizer plugin to 1.6.4 for a large percentage of users even for users who did not enable auto upgrade because this was a security fix. We also pushed the security upgrade via Softaculous so the WordPress installations done by Softaculous and having Loginizer were upgraded automatically. These two options helped upgrade a large portion of installations.
Following is the list of security issues fixed in Loginizer 1.6.4:
1) [Security Fix] : A properly crafted username used to login could lead to SQL injection. This has been fixed by using the prepare function in PHP which prepares the SQL query for safe execution.
2) [Security Fix] : If the IP HTTP header was modified to have a null byte it could lead to stored XSS. This has been fixed by properly sanitizing the IP HTTP header before using the same.
We would like to Thank Slavco from WPdeeply.com and WordPress.org Plugins team for helping us in this matter.
For any questions related to this version or upgrading difficulty feel free to contact us at [email protected]
The Loginizer Team