{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-4307", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2023-08-11T13:32:03.247Z", "datePublished": "2023-09-11T19:46:04.810Z", "dateUpdated": "2023-09-11T19:46:04.810Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-09-11T19:46:04.810Z"}, "title": "Lock User Account <= 1.0.3 - Arbitrary Account Lock/Unlock via CSRF", "problemTypes": [{"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Lock User Account", "versions": [{"status": "affected", "versionType": "custom", "version": "0", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "affected", "collectionURL": "https://wordpress.org/plugins"}], "descriptions": [{"lang": "en", "value": "The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack"}], "references": [{"url": "https://wpscan.com/vulnerability/06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Dmitrii Ignatyev", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:teknigar:lock_user_account:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7A281DC1-AF0D-4A4B-9B4B-A8A6EF07B793", "versionEndIncluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack"}, {"lang": "es", "value": "El complemento de WordPress Lock User Account hasta la versi\u00f3n 1.0.3 no tiene verificaci\u00f3n CSRF cuando bloquea y desbloquea cuentas de forma masiva, lo que podr\u00eda permitir a los atacantes hacer que los administradores registrados bloqueen y desbloqueen usuarios arbitrarios a trav\u00e9s de un ataque CSRF."}], "id": "CVE-2023-4307", "lastModified": "2023-11-07T04:22:26.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-11T20:15:12.117", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/06f7aa45-b5d0-4afb-95cc-8f1c82f6f8b3"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified"}

{}