CVE-2023-4153

HIGH

BAN Users < 1.5.3 - Authenticated Privilege Escalation via Missing Capability Check

Title source: llm

Description

The BAN Users plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.5.3 due to a missing capability check on the 'w3dev_save_ban_user_settings_callback' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify the plugin settings to access the ban and unban functionality and set the role of the unbanned user.

References (3)

Core 3

Core References

Broken Link

https://plugins.trac.wordpress.org/browser/ban-users/tags/1.5.3/include/ajax.php#L109

Broken Link

https://plugins.trac.wordpress.org/browser/ban-users/tags/1.5.3/include/ajax.php#L199

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/af6bd2db-47a4-4381-a881-d5f97a159f8d?source=cve

Scores

CVSS v3 8.8

EPSS 0.0069

EPSS Percentile 47.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-266

Status published

Products (2)

webmedia/ban_users < 1.5.3

webxmedia/BAN Users < 1.5.3

Published Sep 13, 2023

Tracked Since Feb 18, 2026