WordPress Plugin Vulnerabilities

GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection

Description

The GDPR CCPA Compliance Support WordPress plugin was vulnerable to an Unauthenticated PHP Object Injection security vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
ninja-gdpr-compliance
Fixed in 2.4

References

CVE
CVE-2020-36718
URL
https://plugins.trac.wordpress.org/changeset/2408938
URL
https://plugins.trac.wordpress.org/changeset/2411356/ninja-gdpr-compliance
URL
https://blog.nintechnet.com/gdpr-ccpa-compliance-support-plugin-fixed-insecure-deserialization-vulnerability/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
NinTechNet
Verified
No
WPVDB ID
92f1d6fb-c665-419e-a13b-688b1df6c395

Timeline

Publicly Published
2020-11-03 (about 5 years ago)
Added
2020-11-05 (about 5 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2025-08-25
Title
YouTube Showcase < 3.5.2 - Unauthenticated PHP Object Injection
Published
2025-09-03
Title
LTL Freight Quotes – Day & Ross Edition < 2.1.12 - Authenticated (Administrator+) PHP Object Injection
Published
2025-05-19
Title
The Business <= 1.6.1 - Unauthenticated PHP Object Injection
Published
2025-07-18
Title
Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms < 1.1.2 - Unauthenticated PHP Object Injection via verify_field_val Function
Published
2025-08-08
Title
Gravity Forms Keap/Infusionsoft < 1.2.4 - Unauthenticated PHP Object Injection