CVE-2022-2350: 
WordPress vulnerability analysis and mitigation

The Disable User Login WordPress plugin through version 1.0.1 contains a security vulnerability identified as CVE-2022-2350. The vulnerability was discovered in 2022 and affects the plugin's settings update functionality. This security issue stems from the absence of both authorization and CSRF (Cross-Site Request Forgery) checks in the plugin's settings management system (WPScan).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue is tracked under CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). The vulnerability specifically affects the plugin's settings update mechanism through the WordPress admin-ajax.php endpoint (NVD).

The vulnerability allows unauthenticated attackers to manipulate user access controls by blocking or unblocking users at will. This unauthorized access to user management functions could lead to denial of service conditions for legitimate users of the WordPress site (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Users of the affected plugin versions (through 1.0.1) should consider either disabling the plugin or implementing additional security controls at the web application firewall level to restrict access to the affected endpoints (WPScan).