WordPress Plugin Vulnerabilities

BAN Users <= 1.5.3 - Subscriber+ Settings Update & Privilege Escalation via Missing Authorization

Description

The plugin is vulnerable to privilege escalation in versions up to, and including, 1.5.3 due to a missing capability check on the 'w3dev_save_ban_user_settings_callback' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify the plugin settings to access the ban and unban functionality and set the role of the unbanned user.

Affects Plugins

Plugin icon
ban-users
No known fix

References

CVE
CVE-2023-4153

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
81d323bc-e57c-4d72-94d3-34ea95d45eb6

Timeline

Publicly Published
2023-09-12 (about 2 years ago)
Added
2023-09-14 (about 2 years ago)
Last Updated
2023-09-14 (about 2 years ago)

Other

Published
Title
Published
2026-03-23
Title
WPCargo Track & Trace <= 8.0.2 - Missing Authorization
Published
2023-11-20
Title
BlossomThemes Email Newsletter < 2.2.5 - Missing Authorization
Published
2025-06-19
Title
Video List Manager <= 1.7 - Missing Authorization
Published
2024-08-28
Title
Blockbooster < 1.0.11 - Missing Authorization
Published
2025-12-31
Title
Signature Add-On for Gravity Forms < 1.8.7 - Missing Authorization