WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting

The check_privacy_settings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an “application/json” content-type. Since an HTML payload isn’t properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim’s browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction). Note: v1.9.26 added a CSRF check in an attempt to fix the issue, which is not sufficient and the XSS can still be exploited against unauthenticated user. A separate issue has been created

PoC

POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 105 Connection: close Upgrade-Insecure-Requests: 1 action=check_privacy_settings&settings;%5B40%5D=40&settings;%5B41%5D=%3cbody%20onload%3dalert(XSS)%3e