Unauthenticated stored XSS and content spoofing vulnerabilities in WordPress WP GDPR plugin (unpatched).

This plugin is not maintained any longer and the vulnerability has never been fixed. Make sure to follow the recommendations below.

The WordPress WP GDPR plugin, which has 6,000+ active installations, is prone to multiple vulnerabilities affecting version 2.1.1 and below.

Improper access control and unvalidated user input can lead to:

  • Stored XSS: An unauthenticated attacker can inject JavaScript code that will be triggered when someone accesses a page or post that has a comment form:
  • Content Spoofing: An unauthenticated attacker can gain full control over the WordPress comments table in the database and can tamper with any of its 14 fields: change the content of all comments, assign them to another user or to another post, bypass moderation/approval etc.
  • Additional issue: An unauthenticated attacker can delete any comment as well as modify the plugin’s settings.

Because all issues are unfixed we won’t provide more details.

Timeline

The vulnerability was reported to the wordpress.org team on October 22, 2019 and the plugin was removed from the repo.

Recommendations

We recommend to uninstall this plugin as there isn’t any security patch available. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability since October 2019.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet