WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option

The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.

If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.

See references for discussion of the issue.

The problem is in the file Includes/Ajax.php which doesn't do any checking of the given values.
Proof of Concept
1. Install WordPress.
2. Install the plugin.
3. Enable the request form and publish the page.

Update an option:

1. Go to the page with request form
2. Check the pages source for "ajaxSecurity" and copy the value
3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body:

action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={         "type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"}

After that check your wp_options table for the new value.

Affects Plugin

fixed in version 1.4.3


CVE 2018-19207
URL https://wordpress.org/support/topic/plugin-installed-itself-and-activated-itself-on-my-site
URL https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance
URL https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/




Submitter Adrian Mörchen
Submitter Website https://www.moewe.io
Views 12745
Verified Yes


Publicly Published 2018-11-08 (8 months ago)
Added 2018-11-08 (8 months ago)
Last Updated 2018-11-13 (8 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.