CVE-2022-2987: 
WordPress vulnerability analysis and mitigation

CVE-2022-2987 affects the Ldap WP Login / Active Directory Integration WordPress plugin versions before 3.0.2. The vulnerability was discovered and publicly disclosed on September 5, 2022. The plugin lacks proper authorization and CSRF checks when updating settings, which are hooked to the init action (WPScan).

The vulnerability stems from missing authorization and Cross-Site Request Forgery (CSRF) checks in the plugin's settings update functionality. The issue is classified with CWE-352 (CSRF) and CWE-862 (Missing Authorization). It has received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and no required privileges (NVD).

The vulnerability allows unauthenticated attackers to modify the plugin's settings. Specifically, attackers can configure their own LDAP server to be used for user authentication, effectively bypassing the existing authentication mechanisms (WPScan).

The vulnerability has been patched in version 3.0.2 of the Ldap WP Login / Active Directory Integration plugin. Users are advised to update to this version or later to protect against potential exploitation (WPScan).