The WordPress GDPR Cookie Compliance plugin (90,000+ active installations), fixed a vulnerability in version 4.0.2 and below that could allow an authenticated user to delete its settings.
Authenticated settings deletion
In the “class-moove-gdpr-actions.php” function, the plugin registers the gdpr_cookie_compliance_reset_settings AJAX action:
add_action( 'wp_ajax_gdpr_cookie_compliance_reset_settings', array( 'Moove_GDPR_Controller', 'gdpr_cookie_compliance_reset_settings' ) );
It loads the gdpr_cookie_compliance_reset_settings function found in the “controllers/class-moove-gdpr-controller.php” script:
public static function gdpr_cookie_compliance_reset_settings() {
$gdpr_content = new Moove_GDPR_Content();
$option_name = $gdpr_content->moove_gdpr_get_option_name();
$option_key = $gdpr_content->moove_gdpr_get_key_name();
update_option( $option_name, array() );
gdpr_delete_option();
if ( function_exists( 'update_site_option' ) ) :
delete_site_option( $option_key );
else :
delete_option( $option_key );
endif;
echo json_encode( array( 'success' => true ) );
die();
}
The function is used to erase all settings. As it lacks a capabilities check and a security nonce, any logged-in user could execute this code.
Timeline
The vulnerability was reported to the WordPress.org team on December 17, 2019 and a new version 4.0.3 was released on December 23, 2019.
Recommendations
Update as soon as possible if you have version 4.0.2 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet