CVE-2023-4757: 
WordPress vulnerability analysis and mitigation

The Staff / Employee Business Directory for Active Directory WordPress plugin before version 1.2.3 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on September 8, 2023, and was assigned CVE-2023-4757. The issue affects the plugin's handling of LDAP server data, which could potentially impact WordPress installations using this plugin (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of data returned from the LDAP server before rendering it in the page. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and required privileges (NVD).

The vulnerability allows users who can control their entries in the LDAP directory to inject malicious JavaScript code. This injected code could be executed when high-privilege users, such as site administrators, view the affected pages. The impact primarily concerns confidentiality and integrity, with potential for unauthorized access to sensitive information or manipulation of user data (WPScan).

The vulnerability has been patched in version 1.2.3 of the Staff / Employee Business Directory for Active Directory WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).