CVE-2022-2987

Published: Sep 26, 2022Modified: Jun 17, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

Affected (1)

Products: Ldap Wp Login / Active Directory Integration Project: Ldap Wp Login / Active Directory Integration

Ldap Wp Login / Active Directory Integration Project

1 product

Ldap Wp Login / Active Directory Integration

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ldap Wp Login / Active Directory Integration Project Ldap Wp Login / Active Directory Integration	Before 3.0.2

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://wpscan.com/vulnerability/0d9638b9-bf8a-474f-992d-2618884d3f67

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/0d9638b9-bf8a-474f-992d-2618884d3f67

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.