PT-2023-12457 · WordPress · The Ultimate Gdpr & Ccpa
Jerome Bruandet
·
Published
2023-06-07
·
Updated
2023-06-14
·
CVE-2021-4348
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
The Ultimate GDPR & CCPA plugin for WordPress versions up to, and including, 2.4
Description
The issue allows unauthenticated attackers to import and export settings via the
export settings and import settings functions. This enables them to change plugin settings, potentially leading to attacks such as redirecting visitors to malicious sites.Recommendations
For versions up to, and including, 2.4, consider disabling the
export settings and import settings functions as a temporary workaround until a patch is available. Restrict access to these functions to minimize the risk of exploitation.Exploit
Fix
Open Redirect
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
The Ultimate Gdpr & Ccpa