CVE-2023-4505

2023-09-2715:19:40

[email protected]

web.nvd.nist.gov

wordpress

active directory

ldap

passback

vulnerability

authentication

administrative access

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

3.9

Confidence

High

EPSS

0.001

Percentile

31.5%

JSON

The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.

Affected configurations

Nvd

Node

miniorangestaff_\/_employee_business_directory_for_active_directoryRange<1.3wordpress

VendorProductVersionCPE
miniorangestaff_\/_employee_business_directory_for_active_directory*cpe:2.3:a:miniorange:staff_\/_employee_business_directory_for_active_directory:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
miniorange	staff_\/_employee_business_directory_for_active_directory	*	cpe:2.3:a:miniorange:staff_\/_employee_business_directory_for_active_directory::::::wordpress::*