CVE-2022-2987

Name of the Vulnerable Software and Affected Versions Ldap WP Login / Active Directory Integration WordPress plugin versions prior to 3.0.2

Description The issue concerns a lack of authorization and CSRF checks when updating settings in the Ldap WP Login / Active Directory Integration WordPress plugin. This allows unauthenticated attackers to update the settings, which are hooked to the init action. Attackers could set their own LDAP server to be used for authenticating users, thereby bypassing the current authentication.

Recommendations For versions prior to 3.0.2, update to version 3.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the settings update functionality to prevent unauthenticated updates until a patch is applied.