Pierluigi Paganini
February 13, 2020
Critical vulnerabilities in the WordPress GDPR Cookie Consent plugin could be exploited by potential attackers to delete and change the content of the sites and inject malicious JavaScript code due to improper access controls.
The GDPR Cookie Consent plugin assists users in making your website GDPR
“The save_contentdata method allows the administrator to save the GDPR cookie notice to the database as a page post type” wrote NinTechNet.
“An authenticated
The WordPress plugin is developed by WebToffee that addressed the flaw with the release of version 1.8.3, less than a week after the disclosure of the issues. The vulnerabilities affect version 1.8.2 and earlier.
The security firm
“Because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security.” states WordFence.
An attacker could exploit the flaw to inject JavaScript code that will be automatically loaded and executed every time a user (authenticated or not) visits the /
“[
Giving a look at the download history of the plugin we can see that no more than 82,000 users have installed the latest version of the plugin, this means that more than 600K installations are still vulnerable.
| Today | 8.374 |
|---|---|
| Yesterday | 72.341 |
| Last 7 Days | 95.504 |
| All Time | 5.104.967 |
Security experts at WordFence recently reported that over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug (CVE-2020-8417) in Code Snippets.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]
