The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this. See references for discussion of the issue. The problem is in the file Includes/Ajax.php which doesnโt do any checking of the given values.
1. Install WordPress. 2. Install the plugin. 3. Enable the request form and publish the page. Update an option: 1. Go to the page with request form 2. Check the pages source for โajaxSecurityโ and copy the value 3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body: action=wpgdprc_process_action&security;=SECURITY_TOKEN_HERE&data;={ โtypeโ:โsave_settingโ,โappendโ:true,โenabledโ: true,โoptionโ:โinjectedโ,โvalueโ :โoptionโ} After that check your wp_options table for the new value.