The vulnerability identified as CVE-2024-13530 affects all versions up to 7.1.1 of the WordPress plugin 'Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in, Sign out' developed by zia-imtiaz. The root cause is a missing authorization (capability) check in three critical functions: lps_handle_delete_all_logs(), lps_handle_delete_login_log(), and lps_handle_end_session(). These functions are responsible for deleting login attempt logs and terminating user sessions. Due to the lack of proper capability verification, any authenticated user with Subscriber-level access or higher can invoke these functions to delete login logs and forcibly end sessions of other users. This bypasses intended administrative controls and compromises the integrity of login records and session management. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and privileges required are low (PR:L), meaning any logged-in user with minimal permissions can exploit it. The scope remains unchanged (S:U), and the impact affects integrity only (I:L), with no impact on confidentiality or availability. The CVSS v3.1 base score is 4.3, indicating medium severity. No known exploits have been reported in the wild, and no official patches were linked at the time of publication. The vulnerability is classified under CWE-862 (Missing Authorization).

The primary impact of this vulnerability is the unauthorized modification of login-related data and session states. Attackers with Subscriber-level access can delete login attempt logs, which undermines the ability of administrators to audit and detect suspicious login activities, potentially masking brute force or credential stuffing attacks. Additionally, attackers can forcibly end sessions of other users, causing denial of service at the session level and potentially disrupting legitimate user activities. While this does not directly expose sensitive data or cause system downtime, it weakens security monitoring and session control mechanisms, increasing the risk of further exploitation or persistent unauthorized access. Organizations relying on this plugin for login security and session management may face increased risk of undetected attacks and user disruption. The vulnerability affects any WordPress site using the plugin, which is widely deployed globally, thus posing a broad risk to websites that depend on it for login customization and security.

1. Monitor the plugin vendor’s official channels for security updates and apply patches promptly once released. 2. Until an official patch is available, implement custom authorization checks by modifying the plugin code to enforce capability verification on the vulnerable functions (lps_handle_delete_all_logs(), lps_handle_delete_login_log(), lps_handle_end_session()). 3. Restrict Subscriber-level users from accessing administrative or sensitive plugin endpoints by adjusting WordPress role capabilities or using additional access control plugins. 4. Enable comprehensive logging and monitoring of login activities and session management to detect unusual deletions or session terminations. 5. Consider temporarily disabling or replacing the plugin with alternative solutions that have verified secure authorization controls. 6. Educate site administrators and users about the risk of unauthorized session termination and encourage strong authentication practices to reduce risk of account compromise. 7. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced.