WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting
CVE-2021-24814

9.6CRITICAL

Key Information:

Vendor: Wordpress
Status: WordPress Gdpr\&ccpa
Vendor: CVE Published:; 1 February 2022

Summary

The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction).

References

https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-...

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 1, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Ace Candelario (@0xspade)

Victor Paynat-Sautivet (3DS Outscale SOC)