WordPress Plugin Vulnerabilities

GDPR Cookie Consent <= 2.6.0 - Bulk Delete via CSRF

Description

The plugin does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
webtoffee-gdpr-cookie-consent
Fixed in 2.6.1

References

CVE
CVE-2024-8286

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
628bbac0-76b1-4666-9c00-bae84b48f85c

Timeline

Publicly Published
2024-08-25 (about 1 year ago)
Added
2024-09-16 (about 1 year ago)
Last Updated
2024-09-16 (about 1 year ago)

Other

Published
Title
Published
2024-12-12
Title
DTC Documents <= 1.1.05 - Cross-Site Request Forgery
Published
2024-10-16
Title
Forminator Forms < 1.36.0 - Draft Quiz Creation via CSRF
Published
2023-03-02
Title
WpStream < 4.4.10.6 - Settings Update via CSRF
Published
2014-08-01
Title
WP-Print 2.51 - Setting Manipulation CSRF
Published
2022-07-19
Title
E Unlocked - Student Result <= 1.0.4 - Arbitrary File Upload via CSRF