exploitDog

CVE-2022-2987

Опубликовано: 26 сент. 2022

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

Ссылки

https://wpscan.com/vulnerability/0d9638b9-bf8a-474f-992d-2618884d3f67
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/0d9638b9-bf8a-474f-992d-2618884d3f67
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ldap_wp_login_\/_active_directory_integration_project:ldap_wp_login_\/_active_directory_integration:*:*:*:*:*:wordpress:*:*

Версия до 3.0.2 (исключая)

EPSS

Процентиль: 29%

0.00107

Низкий

7.5 High

CVSS3

Дефекты

CWE-352

CWE-352

Связанные уязвимости

GHSA-mh2q-2wc7-4q2g

CVSS3: 7.5

github

больше 3 лет назад

The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

EPSS

Процентиль: 29%

0.00107

Низкий

7.5 High

CVSS3

Дефекты

CWE-352

CWE-352