CVE-2018-19207
published 2018-11-12CVE-2018-19207: The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because…
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
87.29%
99.7th percentile
The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| van-ons | wp-gdpr-compliance | < 1.4.3 | 1.4.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=wpgdprc_process_action&security={{nonce}}&data={"type":"save_setting","append":false,"option":"users_can_register","value":"1"}↗
commandaction=wpgdprc_process_action&security={{nonce}}&data={"type":"save_setting","append":false,"option":"default_role","value":"administrator"}↗
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php containing the 'wpgdprc_process_action' action parameter with 'save_setting' type, especially attempts to set 'users_can_register' to '1' or 'default_role' to 'administrator'. ↗
- →A successful exploitation response from admin-ajax.php will contain both '"message":""' and '"error":""' in the JSON body with Content-Type application/json. ↗
- →The nonce required for exploitation is extracted from the frontend page body matching the regex pattern against the wpgdprcData JavaScript variable; presence of this variable on a page indicates the vulnerable plugin is active. ↗
- →The vulnerability resides in Includes/Ajax.php of the wp-gdpr-compliance plugin; lack of capability checks on the 'save_setting' internal action allows unauthenticated option writes. ↗
- ·The Metasploit module warns that it sets WordPress configuration options without reading their current values and restoring them later, meaning exploitation (or testing) may permanently alter site settings such as open registration and default role. ↗
- ·Exploitation requires a valid nonce ('ajaxSecurity') extracted from the site's frontend; the nonce is publicly accessible to unauthenticated users, making the vulnerability fully unauthenticated. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q4mw-9w8q-q3fp: The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1
ghsa_unreviewed·2022-05-13
CVE-2018-19207 [CRITICAL] CWE-425 GHSA-q4mw-9w8q-q3fp: The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1
The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.
VulnCheck
van-ons wp-gdpr-compliance Direct Request ('Forced Browsing')
vulncheck·2018·CVSS 9.8
CVE-2018-19207 [CRITICAL] van-ons wp-gdpr-compliance Direct Request ('Forced Browsing')
van-ons wp-gdpr-compliance Direct Request ('Forced Browsing')
The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.
Affected: van-ons wp-gdpr-compliance
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in-wp-gdpr-compliance-plugin-exploited-in-the-wild/; https://www.cve.org/CVERecord?id=CVE-2018-19207
Exploit PoC: https://vulncheck.com/xdb/36d1a44178ca; https://vulncheck.com/xdb/ba7b7f4736fb
No detection rules found.
Metasploit
WordPress WP GDPR Compliance Plugin Privilege Escalation
metasploit
WordPress WP GDPR Compliance Plugin Privilege Escalation
WordPress WP GDPR Compliance Plugin Privilege Escalation
The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set wordpress administration options by overwriting values within the database. The vulnerability is present in WordPress's admin-ajax.php, which allows unauthorized users to trigger handlers and make configuration changes because of a failure to do capability checks when executing the 'save_setting' internal action. WARNING: The module sets Wordpress configuration options without reading their current values and restoring them later.
Nuclei
WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option
nuclei·CVSS 9.8
CVE-2018-19207 [CRITICAL] WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option
WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option
The WP GDPR Compliance plugin allows unauthenticated users to execute any action and update any database value. This vulnerability is due to the lack of proper validation in the Includes/Ajax.php file.
Template:
id: CVE-2018-19207
info:
name: WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option
author: iamnoooob,pdresearch
severity: critical
description: |
The WP GDPR Compliance plugin allows unauthenticated users to execute any action and update any database value. This vulnerability is due to the lack of proper validation in the Includes/Ajax.php file.
impact: |
Unauthenticated attackers can execute any action and update any database value, potentially creating admin account
No writeups or analysis indexed.
http://www.securityfocus.com/bid/105921https://wordpress.org/plugins/wp-gdpr-compliance/#developershttps://wpvulndb.com/vulnerabilities/9144https://www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/http://www.securityfocus.com/bid/105921https://wordpress.org/plugins/wp-gdpr-compliance/#developershttps://wpvulndb.com/vulnerabilities/9144https://www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/
2018-11-12
Published
Exploited in the wild