{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-11197", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-11-13T20:46:00.400Z", "datePublished": "2024-11-21T02:06:34.525Z", "dateUpdated": "2026-04-08T16:57:16.073Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:16.073Z"}, "affected": [{"vendor": "babatechs", "product": "Lock User Account", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked."}], "title": "Lock User Account <= 1.0.5 - User Lock Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63374c5c-0b0a-4091-9aee-2e6c1d17a1b2?source=cve"}, {"url": "https://wordpress.org/plugins/lock-user-account/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-693 Protection Mechanism Failure", "cweId": "CWE-693", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "timeline": [{"time": "2024-11-20T13:51:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11197", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-21T11:34:55.704176Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T11:40:11.462Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11197", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-21T11:34:55.704176Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-21T11:34:56.928Z"}}], "cna": {"title": "Lock User Account <= 1.0.5 - User Lock Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Francesco Carlucci"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.2, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "babatechs", "product": "Lock User Account", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-11-20T13:51:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63374c5c-0b0a-4091-9aee-2e6c1d17a1b2?source=cve"}, {"url": "https://wordpress.org/plugins/lock-user-account/"}], "descriptions": [{"lang": "en", "value": "The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:16.073Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11197", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:16.073Z", "dateReserved": "2024-11-13T20:46:00.400Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-11-21T02:06:34.525Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked."}, {"lang": "es", "value": "El complemento Lock User Account para WordPress es vulnerable a la omisi\u00f3n del bloqueo de usuarios en todas las versiones hasta la 1.0.5 incluida. Esto se debe a que permite iniciar sesi\u00f3n con contrase\u00f1a de la aplicaci\u00f3n cuando las cuentas de usuario est\u00e1n bloqueadas. Esto hace posible que los atacantes autenticados, con contrase\u00f1as de aplicaci\u00f3n existentes, interact\u00faen con el sitio vulnerable a trav\u00e9s de una API como XML-RPC o REST a pesar de que su cuenta est\u00e9 bloqueada."}], "id": "CVE-2024-11197", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-11-21T11:15:24.060", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/lock-user-account/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/63374c5c-0b0a-4091-9aee-2e6c1d17a1b2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"created": "2025-07-12T15:42:30.547841+00:00", "updated": "2025-07-12T15:42:30.547885+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}