WordPress Plugin Vulnerabilities

GDPR CCPA Compliance Support < 2.4 - Unauthenticated PHP Object Injection

Description

The GDPR CCPA Compliance Support WordPress plugin was vulnerable to an Unauthenticated PHP Object Injection security vulnerability.

Proof of Concept

The vulnerability could triggered within the "njt_gdpr_allow_permissions" Base64 encoded cookie value.

Affects Plugins

Plugin icon
ninja-gdpr-compliance
Fixed in 2.4

References

CVE
CVE-2020-36718
URL
https://plugins.trac.wordpress.org/changeset/2408938
URL
https://plugins.trac.wordpress.org/changeset/2411356/ninja-gdpr-compliance
URL
https://blog.nintechnet.com/gdpr-ccpa-compliance-support-plugin-fixed-insecure-deserialization-vulnerability/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
NinTechNet
Verified
No
WPVDB ID
92f1d6fb-c665-419e-a13b-688b1df6c395

Timeline

Publicly Published
2020-11-03 (about 3 years ago)
Added
2020-11-05 (about 3 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2023-03-27
Title
WP Meta SEO < 4.5.5 - Author+ PHAR Deserialization
Published
2023-10-17
Title
E2Pdf < 1.20.19 - Authenticated (Administrator+) PHP Object Injection
Published
2017-10-02
Title
Appointments <= 2.2.1 - Unauthenticated PHP Object Injection
Published
2023-12-05
Title
Structured Content < 1.6 - Contributor+ PHP Object Injection
Published
2023-10-17
Title
Themify Ultra < 7.3.6 - Authenticated (Subscriber+) PHP Object Injection