WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option

Description

The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.

If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.

See references for discussion of the issue.

The problem is in the file Includes/Ajax.php which doesn't do any checking of the given values.

Proof of Concept

1. Install WordPress.
2. Install the plugin.
3. Enable the request form and publish the page.

Update an option:

1. Go to the page with request form
2. Check the pages source for "ajaxSecurity" and copy the value
3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body:

action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={"type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"}

After that check your wp_options table for the new value.
 

Affects Plugins

wp-gdpr-compliance
Fixed in version 1.4.3

References

CVE
CVE-2018-19207
URL
https://wordpress.org/support/topic/plugin-installed-itself-and-activated-itself-on-my-site
URL
https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance
URL
https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Classification

Type

BYPASS

Miscellaneous

Submitter

Adrian Mörchen

Submitter website
https://www.moewe.io
Verified

Yes

WPVDB ID
678dac05-d1f7-4e73-a310-dffa8f5bb9c4

Timeline

Publicly Published

2018-11-08 (about 4 years ago)

Added

2018-11-08 (about 4 years ago)

Last Updated

2021-02-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us