CVE-2025-48343: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in Aaron Axelsen WPMU Ldap Authentication plugin version 5.0.1 and earlier versions, which allows for Stored Cross-Site Scripting (XSS) attacks. The vulnerability was disclosed on August 28, 2025, and affects all versions of the plugin up to version 5.0.1 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring no privileges (PR:N), but does need user interaction (UI:R). The scope is changed (S:C), with low impacts on confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers to execute Cross-Site Request Forgery attacks that can lead to stored Cross-Site Scripting, potentially compromising the security of the affected WordPress installations. The impact includes possible unauthorized actions performed under the victim's authentication context and the potential injection of malicious scripts (Patchstack).

As there is no official fix available for this vulnerability, the recommended mitigation strategy is to remove and replace the WPMU Ldap Authentication plugin with an alternative solution. Deactivating the plugin alone does not remove the security threat unless a virtual patch is deployed (Patchstack).