CVE-2024-5607

Name of the Vulnerable Software and Affected Versions GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress versions up to, and including, 2.7.0

Description The issue is related to a missing capability check on several functions named ajaxUpdateSettings() in the GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress. This allows authenticated attackers with Subscriber-level access and above to modify the plugin's settings, update page content, send arbitrary emails, and inject malicious web scripts.

Recommendations For versions up to, and including, 2.7.0, update the plugin to a version that includes the necessary capability checks to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to the ajaxUpdateSettings() function until a patch is available. Additionally, restrict the ability of authenticated users with Subscriber-level access and above to modify the plugin's settings and update page content.