WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option
Description
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the file Includes/Ajax.php which doesn't do any checking of the given values.
Proof of Concept
1. Install WordPress.
2. Install the plugin.
3. Enable the request form and publish the page.
Update an option:
1. Go to the page with request form
2. Check the pages source for "ajaxSecurity" and copy the value
3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body:
action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={"type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"}
After that check your wp_options table for the new value.
Affects Plugins
Fixed in version 1.4.3✓
References
Classification
Type
BYPASS
Miscellaneous
Submitter
Adrian Mörchen
Submitter website
Verified
Yes
Timeline
Publicly Published
2018-11-08 (about 2 years ago)
Added
2018-11-08 (about 2 years ago)
Last Updated
2021-02-22 (about 2 months ago)