WordPress Plugin Vulnerabilities

GDPR Cookie Compliance <= 4.0.2 - Authenticated Settings Reset

Description

The gdpr_cookie_compliance_reset_settings AJAX action registered for authenticated users lacks authorisation and CSRF checks, allowing unauthorised authenticated users to call it, which would result in the settings being reset.

Affects Plugins

Plugin icon
gdpr-cookie-compliance
Fixed in 4.0.3

References

CVE
CVE-2019-25143
URL
https://blog.nintechnet.com/wordpress-gdpr-cookie-compliance-plugin-fixed-authenticated-settings-deletion-vulnerability/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269

Miscellaneous

Original Researcher
Jerome Bruandet (Nintechnet.com)
Verified
No
WPVDB ID
5ac51325-a7f5-4d38-9b41-61855206083d

Timeline

Publicly Published
2019-12-27 (about 4 years ago)
Added
2019-12-27 (about 4 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2023-03-06
Title
Multiple e-plugins - Subscriber+ Privilege Escalation
Published
2020-03-16
Title
LearnPress < 3.2.6.7 - Privilege Escalation
Published
2019-08-05
Title
ND Booking < 2.5 - Unauthenticated Options Change
Published
2023-11-21
Title
UserPro < 5.1.5 - Authenticated (Subscriber+) Privilege Escalation
Published
2016-02-10
Title
Woocommerce Exporter < 1.8.4 - Privilege Esclation