CVE-2023-4505 LOW

CVE-2023-4505: Staff / Employee Business Directory for Active Directory <= 1.2.3 - Authenticated (Admin+) LDAP Passback

Vendor Cyberlord92
Product Staff/Employee Business Directory for Active Directory
Weakness CWE-306 · Missing auth
Published September 26, 2023
Last update April 8, 2026

CVSS base score

2.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.

Key dates

02Disclosure timeline

September 26, 2023 CVE published
April 8, 2026 Record updated