CVE-2024-1050 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'Import and export users and customers' developed by carazo. The issue stems from the ajax_force_reset_password_delete_metas() function lacking proper capability checks, which means that authenticated users with minimal privileges (subscriber-level or above) can invoke this AJAX endpoint to delete all forced password resets. Forced password resets are typically used by administrators to require users to change their passwords, often as a security measure after a compromise or policy update. By deleting these forced resets, an attacker can prevent users from being compelled to update their credentials, thereby maintaining access with potentially compromised passwords. The vulnerability affects all versions up to and including 1.26.5. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low complexity, and low privileges but does not impact confidentiality or availability, only integrity. No user interaction is needed, and the scope is unchanged. No patches or mitigations have been officially released at the time of this report, and no known exploits have been observed in the wild. The vulnerability is significant because it allows privilege escalation effects through manipulation of password reset enforcement, which could facilitate further unauthorized access or persistence within affected WordPress sites.

The primary impact of this vulnerability is the unauthorized modification of security controls related to password resets. By deleting forced password resets, attackers can prevent users from being required to change their passwords, potentially allowing compromised credentials to remain valid indefinitely. This undermines organizational security policies and increases the risk of account takeover and lateral movement within affected WordPress environments. Although the vulnerability does not directly expose sensitive data or cause denial of service, it weakens the integrity of authentication enforcement mechanisms. Organizations relying on this plugin for user management are at risk of persistent unauthorized access if attackers exploit this flaw. The impact is especially critical for sites with multiple user roles and where password reset enforcement is a key part of security hygiene. Since exploitation requires only subscriber-level access, attackers can leverage compromised low-privilege accounts to escalate their influence over user authentication policies.

1. Immediately restrict subscriber-level and other low-privilege user access to the affected WordPress plugin functionality, if possible, until a patch is available. 2. Monitor and audit logs for any suspicious activity related to password reset enforcement or modifications to user metadata. 3. Implement additional access control measures such as two-factor authentication (2FA) for all user accounts to reduce the risk of account compromise. 4. Consider temporarily disabling or uninstalling the 'Import and export users and customers' plugin if it is not essential to operations. 5. Follow the plugin vendor’s updates closely and apply patches as soon as they are released. 6. Use WordPress security plugins or web application firewalls (WAFs) that can detect and block unauthorized AJAX requests targeting this function. 7. Educate administrators and users about the importance of strong passwords and regular password changes independent of forced resets. 8. Review and harden WordPress user role permissions to minimize unnecessary access to plugin features.