Stored Cross-Site Scripting Vulnerability in GDPR Framework Plugin by Data443
CVE-2024-13621

4.8MEDIUM

Key Information:

Vendor: WordPress
Status: The Gdpr Framework By Data443
Vendor: CVE Published:; 15 May 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-13621?

The GDPR Framework plugin by Data443 prior to version 2.2.0 has a critical flaw in how it handles certain settings, leading to the potential for Stored Cross-Site Scripting (XSS) attacks. High privilege users, including administrators, may exploit this vulnerability even in environments where unfiltered HTML is restricted, such as multisite setups. By failing to properly sanitize and escape these settings, the plugin opens up pathways for malicious scripts to be inserted, posing a severe risk to the integrity of WordPress sites.

Affected Version(s)

The GDPR Framework By Data443 0 < 2.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-13621 - Proof of Concept

References

https://wpscan.com/vulnerability/5b48ecbb-c459-4c39-825d-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 15, 2025
👾
Exploit known to exist
May 15, 2025
Vulnerability published
May 15, 2025
Vulnerability Reserved
Jan 22, 2025

Credit

Bob Matyas

WPScan