GDPR Cookie Consent < 1.8.3 – Improper Access Controls | CVE 2020-20633

Description

Improper Access Controls issue in the cli_policy_generator AJAX call which could allow an authenticated user with low privileges (such as a subscriber) to:

- Change the status of any post/page from published to draft, removing them from the frontend of the blog.

- Put a payload in the content of one of them, leading to Stored Cross-Site Scripting (XSS) issues.

Affects Plugins

cookie-law-info

Fixed in 1.8.3

References

CVE

CVE-2020-20633

URL

https://blog.nintechnet.com/wordpress-gdpr-cookie-consent-plugin-fixed-vulnerability/

URL

https://www.wordfence.com/blog/2020/02/improper-access-controls-in-gdpr-cookie-consent-plugin/

Miscellaneous

Original Researcher

Jerome Bruandet (nintechnet.com)

Verified

WPVDB ID

510b529d-c4a2-4605-8498-b53a2f8f1dd9

Timeline

Publicly Published

2020-02-12 (about 6 years ago)

Added

2020-02-12 (about 6 years ago)

Last Updated

2020-08-22 (about 5 years ago)

Other

Published

Title

Published

2021-07-02

Title

Workreap < 2.2.2 - Multiple CSRF + IDOR Vulnerabilities

Published

2014-08-01

Title

RokMicroNews <= 1.5 - XSS,DoS,Disclosure,Upload Vulnerabilities

Published

2015-05-25

Title

WordPress Landing Pages <= 1.8.4 - XSS & SQL Injection

Published

2019-07-23

Title

WPS Hide Login < 1.5.3 - Multiples Issues

Published

2019-07-01

Title

Newsletter Lite < 4.6.19 - Multiple Issues