WP GDPR Compliance <= 1.4.2 - Unauthenticated Call Any Action or Update Any Option

The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.

If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.

See references for discussion of the issue.

The problem is in the file Includes/Ajax.php which doesn't do any checking of the given values.
Proof of Concept
1. Install WordPress.
2. Install the plugin.
3. Enable the request form and publish the page.

Update an option:

1. Go to the page with request form
2. Check the pages source for "ajaxSecurity" and copy the value
3. Send an ajax request (as POST) to wp-admin/admin-ajax.php (must be within the same browser) with the following body:

action=wpgdprc_process_action&security=SECURITY_TOKEN_HERE&data={         "type":"save_setting","append":true,"enabled": true,"option":"injected","value" :"option"}

After that check your wp_options table for the new value.

Affects Plugin

fixed in version 1.4.3


CVE 2018-19207
URL https://wordpress.org/support/topic/plugin-installed-itself-and-activated-itself-on-my-site
URL https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance
URL https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/




Submitter Adrian Mörchen
Submitter Website https://www.moewe.io
Views 17916
Verified Yes


Publicly Published 2018-11-08 (over 1 year ago)
Added 2018-11-08 (over 1 year ago)
Last Updated 2019-11-01 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin