CVE-2024-3599

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.0.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdpr_policy_process_delete() function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete arbitrary posts.

El complemento WP Cookie Consent (para GDPR, CCPA y ePrivacy) para WordPress es vulnerable a la pérdida no autorizada de datos debido a una falta de verificación de capacidad en la función gdpr_policy_process_delete() en todas las versiones hasta la 3.0.2 incluida. Esto hace posible que atacantes no autenticados eliminen publicaciones arbitrarias.

*Credits: Krzysztof Zając

CVSS Scores

Wordfencev3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-10 CVE Reserved
2024-04-16 CVE Published
2024-05-03 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (2)

URL	Tag	Source
https://plugins.trac.wordpress.org/changeset/3071278/gdpr-cookie-consent/tags/3.1.0/admin/class-gdpr-cookie-consent-admin.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/4b9abbf1-d9f5-4406-9d0c-bc2f9891d0e8?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wpeka-club Search vendor "Wpeka-club"		WP Cookie Consent ( For GDPR, CCPA & EPrivacy ) Search vendor "Wpeka-club" for product "WP Cookie Consent ( For GDPR, CCPA & EPrivacy )"				<= 3.0.2 Search vendor "Wpeka-club" for product "WP Cookie Consent ( For GDPR, CCPA & EPrivacy )" and version " <= 3.0.2"		en		Affected