WordPress Plugin Vulnerabilities

Disable User Login <= 1.0.2 - Unauthenticated Settings Update

Description

The plugin does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will.

Proof of Concept

Affects Plugins

Plugin icon
wp-users-disable
No known fix

References

CVE
CVE-2022-2350

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Submitter
Rafshanzani Suhada
Verified
Yes
WPVDB ID
de28543b-c110-4a9f-bfe9-febccfba3a96

Timeline

Publicly Published
2022-09-14 (about 3 years ago)
Added
2022-09-14 (about 3 years ago)
Last Updated
2025-01-10 (about 11 months ago)

Other

Published
Title
Published
2024-04-23
Title
Send PDF for Contact Form 7 < 1.0.2.4 - Missing Authorization
Published
2025-02-11
Title
The Ultimate WordPress Toolkit – WP Extended < 3.0.14 - Missing Authorization to Unauthenticated Post Order Manipulation
Published
2023-10-25
Title
Ni WooCommerce Sales Report < 3.7.4 - Subscriber+ Sale & Order Reports Access
Published
2025-08-23
Title
miniOrange's Google Authenticator < 6.1.2 - Missing Authorization
Published
2025-02-18
Title
WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 - Missing Authorization to Unauthenticated Portfolio Update