CVE-2023-4506: 
WordPress vulnerability analysis and mitigation

The Active Directory Integration / LDAP Integration plugin for WordPress (versions up to 4.1.10) contains a vulnerability known as LDAP Passback (CVE-2023-4506). This vulnerability was discovered and disclosed in September 2023. The issue affects the plugin's LDAP server configuration functionality and allows authenticated attackers with administrative access to retrieve credentials for the original LDAP server by changing the LDAP server settings (Medium Blog).

The vulnerability stems from insufficient validation when changing the LDAP server configuration. An attacker with administrative access can modify the LDAP server URL to point to a rogue LDAP server under their control. When the 'Test Connection' feature is used, the plugin sends the original LDAP server credentials to the attacker's server, exposing them in plain text. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N by NIST, while Wordfence assessed it with a lower score of 2.2 (LOW) (NVD).

The exploitation of this vulnerability could lead to the exposure of LDAP server credentials, potentially allowing attackers to gain unauthorized access to the organization's LDAP infrastructure. This could result in unauthorized access to sensitive user information and potentially lead to further compromise of the organization's directory services (Medium Blog).

According to the vendor's communication, they have decided not to patch the vulnerability, stating that an attacker with WordPress admin access should have LDAP access as well. The only mitigation proposed is to disable LDAP in favor of LDAPS on the network, though this does not provide protection against this specific attack. Users are advised to carefully consider the implications of using this plugin and implement additional security controls to protect administrative access (Medium Blog).