Vulnerability Description
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Miniorange | Staff \/ Employee Business Directory For Active Directory | < 1.3 |
Related Weaknesses (CWE)
References
- https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-oExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2973020/
- https://wordpress.org/plugins/ldap-ad-staff-employee-directory-search/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1ea40b96-4693-4f98-8e6Third Party Advisory
- https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-oExploitThird Party Advisory
- https://wordpress.org/plugins/ldap-ad-staff-employee-directory-search/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1ea40b96-4693-4f98-8e6Third Party Advisory
FAQ
What is CVE-2023-4505?
CVE-2023-4505 is a vulnerability with a CVSS score of 2.2 (LOW). The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when ch...
How severe is CVE-2023-4505?
CVE-2023-4505 has been rated LOW with a CVSS base score of 2.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-4505?
Check the references section above for vendor advisories and patch information. Affected products include: Miniorange Staff \/ Employee Business Directory For Active Directory.