CVE-2024-5607 GDPR CCPA Compliance & Cookie Consent Banner <= 2.7.0 - Missing Authorization to Settings Update and Stored Cross-Site Scripting

2024-06-0702:39:28

Wordfence

www.cve.org

cve-2024-5607

missing authorization

stored cross-site scripting

wordpress

data modification

capability check

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

Percentile

14.0%

JSON

The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings() in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin’s settings, update page content, send arbitrary emails and inject malicious web scripts.

CNA Affected

[
  {
    "vendor": "ninjateam",
    "product": "GDPR CCPA Compliance & Cookie Consent Banner",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.7.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3097680%40ninja-gdpr-compliance&new=3097680%40ninja-gdpr-compliance&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/b8f870a6-26a5-4f98-9bd6-12736c561265?source=cve