CVE-2024-33682

Vulnerability

Overview The WP GDPR Compliance plugin for WordPress, versions from n/a through 2.0.23, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This security flaw stems from insufficient validation of request origins, enabling a malicious actor to craft requests that appear legitimate to the plugin's administrative functions [1]. The vulnerability affects all installations running the affected versions without proper CSRF protections.

Exploitation

Method An attacker can exploit this vulnerability by tricking a privileged WordPress user (such as an administrator) into clicking a malicious link, visiting a crafted page, or submitting a specially constructed form [1]. No authentication is required from the attacker, but the targeted user must be logged in with sufficient privileges when the action is triggered [1]. This attack vector is commonly used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Assessment Successful exploitation allows an attacker to force the victim to perform unwanted actions under their current authentication session [1]. Depending on the privileges of the targeted user, this could lead to unauthorized changes to plugin settings, GDPR compliance configurations, or other administrative tasks that the plugin manages. The CVSS v3 score of 5.4 (Medium) reflects the need for user interaction and the requirement of a privileged user being tricked [1].

Mitigation

The recommended immediate action is to update the affected plugin to the latest version that includes a proper CSRF fix [1]. If updating is not possible, administrators should seek assistance from their hosting provider or web developer [1]. The vulnerability has been publicly disclosed, and exploitation attempts against unpatched installations are likely.