PT-2024-16814 · WordPress · Lock User Account
Francesco Carlucci
·
Published
2024-11-20
·
Updated
2024-11-21
·
CVE-2024-11197
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Lock User Account plugin for WordPress versions up to, and including, 1.0.5
Description
The issue allows authenticated attackers with existing application passwords to bypass user account locks, enabling them to interact with the site via APIs like XML-RPC or REST. This occurs because the plugin permits application password logins even when user accounts are locked.
Recommendations
For Lock User Account plugin for WordPress versions up to, and including, 1.0.5, consider disabling application password logins for locked accounts as a temporary workaround until a patch is available. Restrict access to API endpoints like XML-RPC or REST for locked accounts to minimize the risk of exploitation.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lock User Account