Vulnerability Details : CVE-2023-3447
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. This is due to insufficient escaping on the supplied username value. This makes it possible for unauthenticated attackers to extract potentially sensitive information from the LDAP directory.
Products affected by CVE-2023-3447
- Miniorange » Active Directory Integration / Ldap Integration » For WordpressVersions before (<) 4.1.6cpe:2.3:a:miniorange:active_directory_integration_\/_ldap_integration:*:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3447
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 53 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3447
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
|
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
3.9
|
4.7
|
Wordfence |
CWE ids for CVE-2023-3447
-
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.Assigned by: security@wordfence.com (Primary)
References for CVE-2023-3447
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd7553e8-e43d-4740-b2ee-e3d8dc351e53?source=cve
Active Directory Integration / LDAP Integration <= 4.1.5 - Unauthenticated LDAP InjectionThird Party Advisory
-
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2928150%40ldap-login-for-intranet-sites&new=2928150%40ldap-login-for-intranet-sites&sfp_email=&sfph_mail=
Changeset 2928150 for ldap-login-for-intranet-sites – WordPress Plugin RepositoryPatch
Jump to