WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option



Description
The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.

If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.

See references for discussion of the issue.

The problem is in the file Includes/Ajax.php which doesn't do any checking of the given values.
Proof of Concept
1. Install WordPress.
2. Install the plugin.
3. Enable the request form and publish the page.

Update an option:

1. Go to the page with request form
2. Check the pages source for "ajaxSecurity" and copy the value
3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body:

action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={         "type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"}

After that check your wp_options table for the new value.

Affects Plugin

fixed in version 1.4.3

References

CVE 2018-19207
URL https://wordpress.org/support/topic/plugin-installed-itself-and-activated-itself-on-my-site
URL https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance
URL https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Classification

Type BYPASS

Miscellaneous

Submitter Adrian Mörchen
Submitter Website https://www.moewe.io
Views 14952
Verified Yes
WPVDB ID 9144

Timeline

Publicly Published 2018-11-08 (11 months ago)
Added 2018-11-08 (11 months ago)
Last Updated 2018-11-13 (11 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin