CVE-2023-6700
published 2024-02-05CVE-2023-6700: The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its…
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.47%
70.5th percentile
The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cookieinformation | cookie_information_free_gdpr_consent_solution | <= 2.0.22 | — |
| cookieinformation | wp-gdpr-compliance | <= 2.0.22 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Cookie Information Plugin up to 2.0.22 on WordPress Options Update improper authentication (ID 3028096)
vuldb·2026-04-11·CVSS 8.8
CVE-2023-6700 [HIGH] Cookie Information Plugin up to 2.0.22 on WordPress Options Update improper authentication (ID 3028096)
A vulnerability was found in Cookie Information Plugin up to 2.0.22 on WordPress. It has been classified as critical. This issue affects some unknown processing of the component Options Update Handler. This manipulation causes improper authentication.
This vulnerability is registered as CVE-2023-6700. Remote exploitation of the attack is possible. No exploit is available.
GHSA
GHSA-gj6f-cjc7-f9fg: The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check o
ghsa_unreviewed·2024-02-06
CVE-2023-6700 [HIGH] CWE-862 GHSA-gj6f-cjc7-f9fg: The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check o
The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.
VulnCheck
cookieinformation wp-gdpr-compliance Missing Authorization
vulncheck·2023·CVSS 8.8
CVE-2023-6700 [HIGH] cookieinformation wp-gdpr-compliance Missing Authorization
cookieinformation wp-gdpr-compliance Missing Authorization
The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.
Affected: cookieinformation wp-gdpr-compliance
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-gdpr-compliance/cookie-information-free
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3028096/wp-gdpr-compliance/trunk?contextall=1&old=2865555&old_path=%2Fwp-gdpr-compliance%2Ftrunkhttps://www.wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567?source=cvehttps://plugins.trac.wordpress.org/changeset/3028096/wp-gdpr-compliance/trunk?contextall=1&old=2865555&old_path=%2Fwp-gdpr-compliance%2Ftrunkhttps://www.wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567?source=cve
2024-02-05
Published
Exploited in the wild