PT-2023-27963 · WordPress · Ban Users

István Márton

Published

2023-09-12

Updated

2023-09-15

CVE-2023-4153

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BAN Users plugin for WordPress versions up to, and including, 1.5.3

Description The issue is related to a missing capability check on the w3dev save ban user settings callback function, which allows authenticated attackers with minimal permissions to modify the plugin settings. This enables them to access the ban and unban functionality and set the role of the unbanned user.

Recommendations For versions up to, and including, 1.5.3, consider disabling the w3dev save ban user settings callback function until a patch is available to prevent exploitation. Restrict access to the plugin settings to minimize the risk of unauthorized modifications.

Fix

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266

Related Identifiers

CVE-2023-4153

Affected Products

Ban Users

PT-2023-27963 · WordPress · Ban Users

CVE-2023-4153

Weakness Enumeration

Related Identifiers

Affected Products

References · 7