Security alert

This plugin appears to be causing a blind SQL injection attack on my server.

I’m configuring my new wordpress site and have now been twice blocked by my site’s firewall, the message being (I’ve removed my IP address):

Your IP address … had been blocked by the firewall due to repeatedly triggering a mod_security filter rule (“Blind SQL Injection Attack” – see sample below). I have unblocked your IP address and disabled the filter rule in question on the assumption that this is a false positive.

—
[Fri Apr 27 16:13:48 2018] [error] [client …] ModSecurity: Access denied with code 406 (phase 2). Pattern match “\\\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id) …” at ARGS:data[form_data]. [file “/usr/local/apache/conf/modsec2.user.conf”] [line “134”] [id “950904”] [msg “Blind SQL Injection Attack”] [data “user_password”] [severity “CRITICAL”] [tag “WEB_ATTACK/SQL_INJECTION”] [hostname “bourneendu3a.org.uk”] [uri “/wp-admin/admin-ajax.php”] [unique_id “WuM@LE31QtoAE3U9PlAAAABE”]

This was repeated a large number of times.

I was at the time trying to configure the “User registration” plugin v1.2.5 and it was not behaving as per instructions. (It wouldn’t save a new configuration.) I had deactivated all other plugins (Logged in User Shortcode, Theme My Login, Coming Soon Page & Maintenance Mode) except the last but otherwise it’s a standard 4.9.5 WordPress with Iconic-One theme. I had the latest version 1.2.5.1 earlier which produced the same results. I’ve put requests on WPEverest’s forums but had no help from there.

Whilst I can’t put it down to this plugin 100% it does appear the most likely cause. I’ve now deleted it from my site.