CVE-2022-2350 in Disable User Login Plugin
Summary
by MITRE • 10/11/2022
The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/25/2026
The CVE-2022-2350 vulnerability affects the Disable User Login WordPress plugin version 1.0.1 and earlier, representing a critical authorization and access control flaw that undermines the security posture of WordPress installations. This vulnerability stems from the plugin's failure to implement proper authentication mechanisms and cross-site request forgery protection when processing administrative settings updates. The absence of these security measures creates a significant attack vector that allows unauthenticated malicious actors to manipulate user access controls within the WordPress environment.
The technical flaw manifests as a lack of validation for user credentials and request authenticity when performing actions such as blocking or unblocking user accounts through the plugin's administrative interface. This weakness directly violates fundamental security principles outlined in the CWE (Common Weakness Enumeration) catalog under CWE-863, which addresses "Incorrect Authorization" - a category that encompasses failures in access control validation. The vulnerability enables attackers to perform unauthorized administrative actions without possessing legitimate credentials or permissions, effectively granting them the ability to manipulate user access within the WordPress system.
The operational impact of this vulnerability extends beyond simple user account manipulation, as it creates opportunities for broader security compromise within WordPress environments. An attacker exploiting this vulnerability can systematically block legitimate users from accessing their accounts, potentially leading to denial of service conditions that disrupt business operations. Additionally, the ability to unblock accounts provides attackers with persistent access to compromised systems, enabling them to maintain control over the WordPress installation. This vulnerability particularly affects WordPress sites that rely on the Disable User Login plugin for user management, creating a persistent threat vector that remains active until the plugin is updated or removed.
The security implications align with ATT&CK framework techniques under T1078 "Valid Accounts" and T1482 "Domain Trust Discovery," as attackers can leverage this vulnerability to manipulate user access and potentially escalate privileges within the WordPress environment. Organizations using vulnerable versions of this plugin face increased risk of account compromise, unauthorized access to sensitive information, and potential system takeover scenarios. The vulnerability's exploitation requires minimal technical skill and provides significant control over user access, making it particularly dangerous in environments where WordPress serves as a critical business application.
Mitigation strategies should prioritize immediate plugin updates to versions that address the authorization and CSRF protection deficiencies. System administrators must ensure that all WordPress plugins undergo regular security assessments and that outdated plugins are promptly removed from installations. The implementation of additional security layers such as Web Application Firewalls, proper access control policies, and regular security audits can help reduce the risk exposure. Organizations should also consider implementing monitoring solutions that can detect unauthorized administrative actions within WordPress systems, providing early warning capabilities when such vulnerabilities are exploited. Regular security training for administrators regarding plugin management and the importance of maintaining current security patches remains essential in preventing exploitation of similar authorization flaws across the WordPress ecosystem.