WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option



Description
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.

If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.

See references for discussion of the issue.

The problem is in the file Includes/Ajax.php which doesn't do any checking of the given values.
Proof of Concept
1. Install WordPress.
2. Install the plugin.
3. Enable the request form and publish the page.

Update an option:

1. Go to the page with request form
2. Check the pages source for "ajaxSecurity" and copy the value
3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body:

action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={         "type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"}

After that check your wp_options table for the new value.

Affects Plugin

fixed in version 1.4.3

References

CVE 2018-19207
URL https://wordpress.org/support/topic/plugin-installed-itself-and-activated-itself-on-my-site
URL https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance
URL https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Classification

Type BYPASS

Miscellaneous

Submitter Adrian Mörchen
Submitter Website https://www.moewe.io
Views 6833
Verified Yes
WPVDB ID 9144

Timeline

Publicly Published 2018-11-08 (13 days ago)
Added 2018-11-08 (12 days ago)
Last Updated 2018-11-13 (7 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.