Description
WordPress Plugin Ldap WP Login/Active Directory Integration is prone to multiple vulnerabilities, including cross-site scripting and security bypass vulnerabilities. Exploiting these issues may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, or to perform otherwise restricted actions and subsequently update plugin's settings. WordPress Plugin Ldap WP Login/Active Directory Integration version 3.0.1 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 3.0.2 or latest
References
https://sploitus.com/exploit?id=WPEX-ID:0D9638B9-BF8A-474F-992D-2618884D3F67
https://sploitus.com/exploit?id=WPEX-ID:1DC2CEC8-E3DD-414B-8CCB-D73D51B051EE
https://plugins.svn.wordpress.org/ldap-wp-login-integration-with-active-directory/trunk/readme.txt
Related Vulnerabilities
WordPress Plugin Page Builder by SiteOrigin Cross-Site Scripting (2.0.4)
SharePoint Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2014-0251)
WordPress Plugin Visual Composer:Page Builder for WordPress Local File Inclusion (5.1)
Envoy Wrong DOWNSTREAM_REMOTE_ADDRESS logged Issue (CVE-2020-35470)