CVE-2021-24814

Name of the Vulnerable Software and Affected Versions WordPress GDPR WordPress plugin versions prior to 1.9.26

Description The issue concerns the check privacy settings AJAX action in the WordPress GDPR WordPress plugin. This action is accessible to both unauthenticated and authenticated users and returns JSON data without the correct content-type, which can lead to the interpretation of an HTML payload by a web browser. As a result, JavaScript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, an attacker could gain full control of the WordPress instance, including the ability to make AJAX calls and manipulate iframes, due to the vulnerable endpoint being on the same domain as the admin panel.

Recommendations For versions prior to 1.9.26, update to version 1.9.26 or later to resolve the issue. As a temporary workaround, consider restricting access to the check privacy settings AJAX action until the update is applied.