WordPress Plugin Vulnerabilities

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) < 3.1.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Description

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Affects Plugins

Plugin icon
gdpr-cookie-consent
Fixed in 3.1.0

References

CVE
CVE-2024-3599
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4b9abbf1-d9f5-4406-9d0c-bc2f9891d0e8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
4acb28e3-0ad6-4f54-9f63-97888ac35969

Timeline

Publicly Published
2024-04-16 (about 2 years ago)
Added
2024-04-16 (about 2 years ago)
Last Updated
2024-04-16 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2026-05-04
Title
ElementsKit Elementor Addons < 3.9.0 - Unauthenticated Missing Authorization to Widget Content Overwrite
Published
2026-01-09
Title
Tickera < 3.5.6.5 - Missing Authorization
Published
2025-01-16
Title
WP Meetup <= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2024-02-05
Title
Advanced Forms for ACF < 1.9.3.3 - Missing Authorization to Unauthenticated Form Settings Export