CVE-2023-4757

Published: Jan 16, 2024Modified: Jun 20, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin.

Affected (1)

Products: Miniorange: Staff / Employee Business Directory For Active Directory

1 product

Staff / Employee Business Directory For Active Directory

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Miniorange Staff / Employee Business Directory For Active Directory	Before 1.2.3

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://wpscan.com/vulnerability/0b953413-cf41-4de7-ac1f-c6cb995fb158/

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/0b953413-cf41-4de7-ac1f-c6cb995fb158/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.