WordPress Plugin Vulnerabilities

Login Lockdown < 2.07 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape the iDisplayStart parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Affects Plugins

Plugin icon
login-lockdown
Fixed in 2.07

References

CVE
CVE-2023-50837
URL
https://patchstack.com/database/vulnerability/login-lockdown/wordpress-login-lockdown-protect-login-form-plugin-2-06-sql-injection-vulnerability

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
3f535329-7374-4f65-b623-ddccabe55ad3

Timeline

Publicly Published
2023-12-21 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2023-12-21
Title
BookingPress < 1.0.73 - Authenticated (Contributor+) SQL Injection
Published
2025-12-14
Title
Accordion Slider PRO < 1.3 - Authenticated (Contributor+) SQL Injection
Published
2016-01-25
Title
Appointment Booking Calendar < 1.1.24 - Unauthenticated SQL Injection
Published
2023-12-21
Title
Welcart e-Commerce < 2.9.4 - Authenticated(Editor+) SQL Injection
Published
2014-08-01
Title
WP Forum Server 1.6.5 - index.php Multiple Parameter SQL Injection