The Fasttoggle module 7.x-1.3 and 7.x-1.4 for Drupal allows remote attackers to block or unblock an account via a crafted user status link.