CVE-2024-11197: CWE-693 Protection Mechanism Failure in babatechs Lock User Account
The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked.
AI Analysis
Technical Summary
CVE-2024-11197 is a protection mechanism failure (CWE-693) in the babatechs Lock User Account WordPress plugin. The vulnerability allows authenticated users who possess valid application passwords to bypass the account lock feature by authenticating through APIs such as XML-RPC or REST. This undermines the intended lockout mechanism, enabling continued interaction with the site despite the user account being locked. The issue affects all versions up to and including 1.0.5. The CVSS 3.1 base score is 4.2, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and limited confidentiality and integrity impact.
Potential Impact
Authenticated attackers with existing application passwords can bypass the user account lock and interact with the site via API endpoints. This could lead to unauthorized access to user-specific functionality or data despite the account being locked. The impact is limited to confidentiality and integrity with no availability impact reported. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling application password logins or restricting API access for locked accounts as a temporary mitigation. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2024-11197: CWE-693 Protection Mechanism Failure in babatechs Lock User Account
Description
The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-11197 is a protection mechanism failure (CWE-693) in the babatechs Lock User Account WordPress plugin. The vulnerability allows authenticated users who possess valid application passwords to bypass the account lock feature by authenticating through APIs such as XML-RPC or REST. This undermines the intended lockout mechanism, enabling continued interaction with the site despite the user account being locked. The issue affects all versions up to and including 1.0.5. The CVSS 3.1 base score is 4.2, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and limited confidentiality and integrity impact.
Potential Impact
Authenticated attackers with existing application passwords can bypass the user account lock and interact with the site via API endpoints. This could lead to unauthorized access to user-specific functionality or data despite the account being locked. The impact is limited to confidentiality and integrity with no availability impact reported. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling application password logins or restricting API access for locked accounts as a temporary mitigation. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-13T20:46:00.400Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e08b7ef31ef0b593f8f
Added to database: 2/25/2026, 9:47:52 PM
Last enriched: 4/9/2026, 12:12:05 PM
Last updated: 4/12/2026, 11:41:30 AM
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.