CVE-2023-2599 LOW

CVE-2023-2599: Active Directory Integration / LDAP Integration <= 4.1.4 - Cross-Site Request Forgery to SQL Injection

Vendor Cyberlord92
Product Active Directory Integration / LDAP Integration
Weakness CWE-352 · CSRF
Published June 9, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to cause resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

June 9, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-40048 WS_FTP Server Cross-Site Request Forgery (CSRF) Vulnerability CVE-2026-8419 Amazon Scraper <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update CVE-2023-48772 WordPress Prevent Landscape Rotation Plugin <= 2.0 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-39414 WordPress spam-stopper plugin <= 3.1.3 - CSRF to Stored XSS vulnerability CVE-2025-31383 WordPress FrescoChat Live Chat plugin <= 3.2.6 - CSRF to Stored XSS vulnerability