CVE-2021-24294

Name of the Vulnerable Software and Affected Versions DSGVO All in one for WP versions prior to 4.0

Description The issue is related to the failure to neutralize special elements, which can lead to cross-site scripting (XSS) attacks. An unauthenticated attacker can exploit this by submitting malicious POST parameters, potentially gaining unauthorized access to create a rogue administrator account. This could be triggered when an administrator views the logs, specifically on the Log page in the administrator dashboard, accessed through wp-admin/admin.php?page=dsgvoaiofree-show-log. The dsgvoaio write log AJAX action is particularly vulnerable due to its lack of sanitization or escaping of certain POST parameters.

Recommendations For versions prior to 4.0, update to version 4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Log page in the administrator dashboard to minimize the risk of exploitation. Avoid using the dsgvoaio write log AJAX action until the issue is resolved.