CVE-2021-42359
published 2021-11-05CVE-2021-42359: WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to…
PriorityP178critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.93%
89.1th percentile
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| legalweb | wp_dsgvo_tools | <= 3.1.23 | — |
| legalweb | wp_dsgvo_tools | 3.1.23 – 3.1.23 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Repeated POST requests with action=admin-dismiss-unsubscribe and the same post ID indicate an attempt to permanently delete a post (first request trashes it, second permanently deletes it). ↗
- →Presence of the path /wp-content/plugins/shapepress-dsgvo/ in HTTP responses confirms the vulnerable plugin is installed and can be used for passive fingerprinting. ↗
- →Attacker reconnaissance step: unauthenticated GET to wp-json/wp/v2/posts or ?rest_route=/wp/v2/posts to enumerate post IDs before triggering deletion. ↗
- ·The vulnerability requires no authentication, no nonce, and no capability — any unauthenticated HTTP client can trigger post deletion, making network-level blocking of unauthenticated POSTs to admin-ajax.php with this action a viable mitigation. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m254-mfgm-2hwx: WP DSGVO Tools (GDPR) <= 3
ghsa_unreviewed·2022-05-24
CVE-2021-42359 [HIGH] CWE-284 GHSA-m254-mfgm-2hwx: WP DSGVO Tools (GDPR) <= 3
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
VulnCheck
legalweb wp_dsgvo_tools Improper Access Control
vulncheck·2021·CVSS 7.5
CVE-2021-42359 [HIGH] legalweb wp_dsgvo_tools Improper Access Control
legalweb wp_dsgvo_tools Improper Access Control
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
Affected: legalweb wp_dsgvo_tools
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use
No detection rules found.
Nuclei
WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion
nuclei·CVSS 9.1
CVE-2021-42359 [CRITICAL] WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion
WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion
WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.
Template:
id: CVE-2021-42359
info:
name: WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary
No writeups or analysis indexed.
2021-11-05
Published
Exploited in the wild