cbcvebase.
CVE-2018-19207
published 2018-11-12

CVE-2018-19207: The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because…

PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
87.29%
99.7th percentile
The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.

Affected

1 ranges
VendorProductVersion rangeFixed in
van-onswp-gdpr-compliance< 1.4.31.4.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
pathwp-content/plugins/wp-gdpr-compliance/
commandaction=wpgdprc_process_action&security={{nonce}}&data={"type":"save_setting","append":false,"option":"users_can_register","value":"1"}
commandaction=wpgdprc_process_action&security={{nonce}}&data={"type":"save_setting","append":false,"option":"default_role","value":"administrator"}
othervar wpgdprcData.*"ajaxSecurity":"([a-z0-9]+)"
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the 'wpgdprc_process_action' action parameter with 'save_setting' type, especially attempts to set 'users_can_register' to '1' or 'default_role' to 'administrator'.
  • A successful exploitation response from admin-ajax.php will contain both '"message":""' and '"error":""' in the JSON body with Content-Type application/json.
  • The nonce required for exploitation is extracted from the frontend page body matching the regex pattern against the wpgdprcData JavaScript variable; presence of this variable on a page indicates the vulnerable plugin is active.
  • The vulnerability resides in Includes/Ajax.php of the wp-gdpr-compliance plugin; lack of capability checks on the 'save_setting' internal action allows unauthenticated option writes.
  • ·The Metasploit module warns that it sets WordPress configuration options without reading their current values and restoring them later, meaning exploitation (or testing) may permanently alter site settings such as open registration and default role.
  • ·Exploitation requires a valid nonce ('ajaxSecurity') extracted from the site's frontend; the nonce is publicly accessible to unauthenticated users, making the vulnerability fully unauthenticated.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.