Wordpress apps: authLdap plugin Cross-Site Request Forgery

imc67

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/authldap/authldap-258-cross-site-request-forgery

There is no patch available can @girish or @nebulon advise on this?

girish

@imc67 Upstream author is aware but has no details to work with - https://github.com/heiglandreas/authLdap/issues/237 . I have posted your link in the issue.

imc67

There is a new version with one of two issues patched

jdaviescoates

@imc67 said in Wordpress apps: authLdap plugin Cross-Site Request Forgery:

There is a new version with one of two issues patched

And I note that the other issue "only impacts multi-site installations and installations where unfiltered_html has been disabled."

As per https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/authldap/authldap-258-authenticated-administrator-stored-cross-site-scripting

Also from that page, it sounds like it is only people who are already logged in Admins and above could take advantage of it:

makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

So if you trust your Admins it doesn't really seem to be an issue (in my case this is normally only me and I both trust myself and don't have the tech skills to take advantage of this potential exploit), hence why the author of the authLDAP plugin doesn't seem to bothered by it.