CVE-2022-2987

HIGH

Ldap WP Login / Active Directory Integration < 3.0.2 - Unauthenticated Settings Update and Authentication Bypass

Title source: llm
STIX 2.1

Description

The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/0d9638b9-bf8a-474f-992d-2618884d3f67

Scores

CVSS v3 7.5
EPSS 0.0039
EPSS Percentile 30.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
ldap_wp_login_\/_active_directory_integration_project/ldap_wp_login_\/_active_directory_integration < 3.0.2
Published Sep 26, 2022
Tracked Since Feb 18, 2026