Privilege escalation in GDPR Compliance plugin for WordPress

1) Privilege escalation

EUVDB-ID: #VU15793

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2018-19207

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to the software fail to do capability checks when executing its internal action save_setting to make such configuration changes when processing arbitrary options and values to this endpoint. A remote attacker can set the users_can_register option to 1, and change the default_role of new users to “administrator” to simply fill out the form at /wp-login.php?action=register and immediately access a privileged account, change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.

Note: this vulnerability is being actively exploited in the wild.

Mitigation

Update to version 1.4.3.

Vulnerable software versions

WP GDPR Compliance: 1.0 - 1.4.2

CPE2.3

• cpe:2.3:a:wordpress_org:wp_gdpr_compilance:1.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:wordpress_org:wp_gdpr_compilance:1.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:wordpress_org:wp_gdpr_compilance:1.1.1:*:*:*:*:wordpress:*:*

External links

https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.