SB2020021220 - Improper access control in GDPR Cookie Consent plugin for WordPress

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "cli_policy_generator" AJAX call. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Successful exploitation of this vulnerability allows an attacker to change the status of any post/page from published to draft, remove them from the frontend of the blog or put a payload in the content of one of them, leading to Authenticated Stored Cross-Site Scripting issues.

Remediation

Install update from vendor's website.

References

• https://wpvulndb.com/vulnerabilities/10069/
• https://blog.nintechnet.com/wordpress-gdpr-cookie-consent-plugin-fixed-vulnerability/