A Privilege Escalation vulnerability has been identified in the WordPress BAN Users Plugin. This vulnerability could allow a malicious actor to escalate their low-privileged account to something with higher privileges and take full control of the website.

This vulnerability was discovered and responsibly reported by Lana Codes.

The vulnerability is a Privilege Escalation vulnerability that occurs in the ban-users.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to escalate their privileges.

Severity:

The vulnerability has a CVSS 3.1 score of 8.8, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

As of the latest information, no patched version is available to rectify the Privilege Escalation vulnerability in the BAN Users Plugin. Consequently, websites using this plugin are at heightened risk of potential attacks.

Impact:

An attacker who successfully exploits this vulnerability could:

  • Escalate their low-privileged account to something with higher privileges.
  • Take full control of the website, including:
    • Modifying or deleting any data on the website.
    • Installing or uninstalling plugins or themes.
    • Changing the website’s configuration.
    • Creating or deleting user accounts.

Recommendation:

Given the critical nature of this vulnerability, immediate action is necessary to secure the website:

  • Disable the Plugin: Users of the BAN Users Plugin are strongly advised to uninstall the plugin until a patched version is released.
  • Enhance Security Measures: Strengthen the website’s security protocols by implementing robust authentication methods, access controls, and regular security assessments. A proactive approach is essential to thwart potential exploitation attempts.