CVE-2024-11197

MEDIUM 4.2

Lock User Account <= 1.0.5 - User Lock Bypass

CVSS Score

4.2

EPSS Score

0.0%

EPSS Percentile

0th

The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked.

CWE	CWE-693
Vendor	babatechs
Product	lock user account
Published	Nov 21, 2024
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for babatechs lock user account

Be the first to know when new medium vulnerabilities affecting babatechs lock user account are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

babatechs / Lock User Account

0 ≤ 1.0.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/63374c5c-0b0a-4091-9aee-2e6c1d17a1b2?source=cve wordpress.org: https://wordpress.org/plugins/lock-user-account/

Credits

Francesco Carlucci