WordPress Plugin Vulnerabilities

Login Lockdown < 2.07 - Administrator+ SQL Injection

Description

The plugin is vulnerable to SQL Injection via the ‘sort order and limit’ parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

Affects Plugins

Plugin icon
login-lockdown
Fixed in 2.07

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/09773141-883b-40e3-bd20-d3115c02e023

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.2 (high)

Miscellaneous

Verified
No
WPVDB ID
d7e37c15-4004-47ac-925e-e2f71de3cfd9

Timeline

Publicly Published
2023-11-21 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2024-01-02
Title
WP SMS < 6.5.1 - Contributor+ SQLi to Reflected XSS
Published
2025-07-15
Title
ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes < 1.5.0 - Authenticated (Subscriber+) SQL Injection
Published
2024-08-19
Title
Shopping Cart & eCommerce Store < 5.7.3 - Authenticated (Contributor+) SQL Injection via model_number Parameter
Published
2025-02-21
Title
Doctor Appointment Booking <= 1.0.0 - Authenticated (Subscriber+) SQL Injection
Published
2022-02-15
Title
Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection