WordPress Plugin Vulnerabilities

LoginPress <= 1.1.13 - Unauthorized Blind SQL Injection

Description

The Custom Login Page Customizer | LoginPress WordPress plugin was affected by an Unauthorized Blind SQL Injection security vulnerability.

Affects Plugins

Plugin icon
loginpress
Fixed in 1.1.14

References

CVE
CVE-2019-15872
CVE
CVE-2019-15871
URL
https://www.webarxsecurity.com/loginpress-plugin/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Luka Sikic
Submitter
Luka Sikic
Submitter website
https://www.webarxsecurity.com/
Submitter twitter
webarx_security
Verified
No
WPVDB ID
421a39b7-eb47-4ed5-84d5-4585700680d7

Timeline

Publicly Published
2018-11-29 (about 7 years ago)
Added
2019-06-17 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2021-12-15
Title
Post Grid < 2.1.13 - Contributor+ SQL Injection
Published
2025-10-14
Title
External Login <= 1.11.2 - Unauthenticated SQL Injection via log
Published
2024-12-12
Title
Instant Appointment <= 1.2 - Unauthenticated SQL Injection
Published
2024-12-02
Title
WordPress Auction Plugin <= 3.7 - Unauthenticated SQL Injection
Published
2024-11-25
Title
Security & Malware scan by CleanTalk < 2.145.1 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection