Plugin Name: Login Lockdown
- Software Type: Plugin
- Software Slug: login-lockdown
- Software Status: Active
- Software Author: webfactory
- Software Downloads: 1,446,808
- Active Installs: 100,000
- Last Updated: November 21, 2023
- Patched Versions: 2.07
- Affected Versions: <= 2.06
- Name: Login Lockdown <= 2.06 - Authenticated (Administrator+) SQL Injection
- Title: Authenticated (Administrator+) SQL Injection
- Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CVSS Score: 7.2 (High)
- Publicly Published: November 21, 2023
- Description: The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to SQL Injection via the ‘sort order and limit’ parameter in all versions up to 2.06 (inclusive) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access or higher to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Login Lockdown plugin for WordPress has a high severity SQL injection vulnerability in versions up to and including 2.06 that allows authenticated administrators to extract sensitive information from the database. This vulnerability has been patched in version 2.07.
The vulnerability exists in the 'sort order and limit' parameter that is used to sort and limit login attempts. Due to insufficient input validation and escaping, an authenticated administrator can inject additional SQL queries that get executed on the database. This could expose sensitive information like usernames, passwords, API keys, etc. to the attacker. The vulnerability was reported by the Wordfence Threat Intelligence team on November 21, 2023 and affects all versions up to and including 2.06. Users are strongly advised to update to version 2.07 or above.
Advice for Users:
- Immediate Action: Update to version 2.07 or above.
- Check for Signs of Vulnerability: Review your logs for any suspicious SQL queries or login attempts. Additionally, check if any unauthorized changes were made like addition of administrator accounts.
- Alternate Plugins: While an update is recommended, consider using alternative login protection plugins like iThemes Security or All In One WP Security as a precaution.
- Stay Updated: Always keep your WordPress installations and plugins updated to avoid vulnerabilities.
The quick response from the developers to patch this SQL injection vulnerability demonstrates their commitment to security. Users should install version 2.07 or later immediately to prevent any potential compromise of their WordPress sites.
Keeping your WordPress website and its plugins constantly updated is critical to maintaining a secure online presence. Unfortunately, far too often vulnerabilities arise that put sites at risk until patches are released. This week a serious SQL injection issue was publicly disclosed affecting sites running the popular Login Lockdown plugin. This vulnerability enables authenticated administrators to improperly access and extract sensitive database information. While the plugin developers have now issued a security fix in version 2.07, the flaw impacts all installations running vulnerable versions up to 2.06. If your website utilizes this free login protector, updating immediately is strongly advised.
We realize these complex security details can be confusing for non-technical site owners. In this post we aim to raise awareness of the risks while offering actionable guidance on keeping your site safe. Even if you use different security tools, the lessons around timely updates and best practices still apply. Reach out for personalized help securing your site if needed. By working together, we can have an informed and proactive WordPress community.
The Login Lockdown plugin, with over 1.4 million downloads, provides useful protection against brute force login attacks by limiting login attempts. However, the recently disclosed SQL injection vulnerability affects all versions up to and including 2.06. This high severity flaw allows an authenticated administrator to inject malicious SQL database queries via the "sort order and limit" parameter. Because of inadequate input sanitization, an attacker can leverage this to extract sensitive information from the database like usernames, passwords, API keys, etc. This can in turn enable further site compromise through account takeover or privilege escalation.
Unfortunately, SQL injection issues have impacted Login Lockdown multiple times before as well, indicating systemic issues in plugin development. The risks extend beyond data theft too - attackers could modify, delete, or ransom your data. Without the latest security fixes, sites face unnecessary vulnerability to attacks jeopardizing business operations, finances, and customer trust.
Updating to the latest Login Lockdown version 2.07 prevents this attack vector by addressing the underlying coding flaws. For compromised sites, a forensic investigation would be prudent along with resetting all passwords. As a precaution, switching to alternate login protection plugins like iThemes Security or All In One WP Security merits consideration too.
We encourage small business owners on tight schedules to utilize the automatic background update option in WordPress to effortlessly maintain software security. Additionally, monitoring services like Wordfence Scanner can alert you to vulnerable software in need of upgrades. We also recommend establishing off-site backups and response plans for any worst case incidents. By layering security and planning ahead, you can effectively guard your online interests despite limited time and technical skill.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.