CVE-2024-13530

Vulnerability

Description The Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out plugin for WordPress (versions up to and including 7.1.1) fails to perform a capability check on three administrative functions: lps_handle_delete_all_logs(), lps_handle_delete_login_log(), and lps_handle_end_session() [1]. This missing authorization check means that any authenticated user, regardless of role, can invoke these functions as long as they are logged into the WordPress dashboard.

Attack

Vector and Prerequisites An attacker must have a valid WordPress user account with at least Subscriber-level access to exploit this vulnerability. No additional privileges are required. The functions are accessible via AJAX or direct POST requests; because there is no nonce or capability validation, a low-privileged user can trigger log deletion or session termination by crafting a simple HTTP request [1].

Impact

A successful attack allows the authenticated attacker to delete all stored login logs, removing evidence of failed or successful authentication attempts. Additionally, the attacker can terminate active sessions of other users, potentially disrupting legitimate access. This undermines the security monitoring features of the plugin that are intended to track login activity and detect brute-force attacks [1].

Mitigation

The vendor has been notified, and users are strongly advised to update the plugin to version 7.1.2 or later, where the missing capability checks have been added [1]. As of the publication date, no known active exploitation in the wild has been reported, but administrators should prioritize updating to prevent unauthorized access to these sensitive administrative actions.