Vulnerability in Lock User Account Plugin Allows Authenticated Attackers to Bypass Account Lock
CVE-2024-11197

4.2MEDIUM

Key Information:

Vendor: Wordpress
Status: Lock User Account
Vendor: CVE Published:; 21 November 2024

Summary

The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked.

Affected Version(s)

Lock User Account * <= 1.0.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/lock-user-account/

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 21, 2024
Vulnerability Reserved
Nov 13, 2024

Credit

Francesco Carlucci