CVE-2023-50837: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2023-50837) was discovered in WebFactory Ltd's Login Lockdown – Protect Login Form WordPress plugin, affecting versions up to 2.06. The vulnerability was reported on December 21, 2023, by researcher LVT-tholv2k (Patchstack).

The vulnerability stems from improper neutralization of special elements used in SQL commands. Specifically, the plugin fails to properly sanitize and escape the iDisplayStart parameter before using it in SQL statements. The vulnerability has received a CVSS v3.1 base score of 7.2 (HIGH) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a score of 7.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L (NVD).

The SQL injection vulnerability could allow malicious actors with administrative privileges to directly interact with the database, potentially leading to unauthorized access to sensitive information and database manipulation (WPScan).

The vulnerability has been fixed in version 2.07 of the Login Lockdown plugin. Users are advised to update to version 2.07 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).