Vulnerability Description
The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ldap Wp Login \/ Active Directory Integration Project | Ldap Wp Login \/ Active Directory Integration | < 3.0.2 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/0d9638b9-bf8a-474f-992d-2618884d3f67ExploitThird Party Advisory
- https://wpscan.com/vulnerability/0d9638b9-bf8a-474f-992d-2618884d3f67ExploitThird Party Advisory
FAQ
What is CVE-2022-2987?
CVE-2022-2987 is a vulnerability with a CVSS score of 7.5 (HIGH). The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowi...
How severe is CVE-2022-2987?
CVE-2022-2987 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2987?
Check the references section above for vendor advisories and patch information. Affected products include: Ldap Wp Login \/ Active Directory Integration Project Ldap Wp Login \/ Active Directory Integration.