Complianz Vulnerability – GDPR/CCPA Cookie Consent – Cross-Site Request Forgery to Data Request Deletion – CVE-2024-1592 | WordPress Plugin Vulnerability Report
Plugin Name: Complianz – GDPR/CCPA Cookie Consent
Key Information:
- Software Type: Plugin
- Software Slug: complianz-gdpr
- Software Status: Active
- Software Author: rogierlankhorst
- Software Downloads: 14,458,989
- Active Installs: 900,000
- Last Updated: March 1, 2024
- Patched Versions: 7.0.0
- Affected Versions: <= 6.5.6
Vulnerability Details:
- Name: Complianz – GDPR/CCPA Cookie Consent <= 6.5.6
- Title: Cross-Site Request Forgery to Data Request Deletion
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- CVE: CVE-2024-1592
- CVSS Score: 4.3
- Publicly Published: March 1, 2024
- Researcher: Krzysztof Zając - CERT PL
- Description: The Complianz plugin, integral for WordPress sites in managing GDPR and CCPA compliance through cookie consent, has been pinpointed for a significant vulnerability in versions up to 6.5.6. A Cross-Site Request Forgery (CSRF) vulnerability exists due to the absence of nonce validation in the process_delete function within class-DNSMPD.php, potentially allowing unauthorized deletion of GDPR data requests by misleading an administrator into clicking a malicious link.
Summary:
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress exhibits a vulnerability in versions up to and including 6.5.6, susceptible to CSRF attacks leading to the unauthorized deletion of GDPR data requests. This security loophole has been closed in the subsequent release, version 7.0.0, enhancing the plugin's defenses against such threats.
Detailed Overview:
Identified by Krzysztof Zając from CERT PL, this vulnerability underscores the critical importance of secure coding practices, particularly in nonce validation, to prevent CSRF attacks. The potential for attackers to manipulate administrative actions without authorization poses a substantial risk, undermining the integrity of data compliance measures. The swift release of patch 7.0.0 by the Complianz development team is a commendable step towards securing WordPress sites relying on this plugin for regulatory adherence.
Advice for Users:
- Immediate Action: Users of the Complianz plugin must upgrade to version 7.0.0 promptly to mitigate the risk posed by the CSRF vulnerability and ensure the continued protection of GDPR data requests.
- Check for Signs of Vulnerability: Administrators should be on the lookout for unauthorized changes or deletions in GDPR data requests, which might indicate exploitation of this vulnerability.
- Alternate Plugins: While the updated version rectifies the identified security concern, exploring other GDPR/CCPA compliance plugins with robust security features may offer additional peace of mind.
- Stay Updated: The cornerstone of maintaining a secure WordPress site lies in keeping all themes and plugins updated to their latest versions, thereby safeguarding against known vulnerabilities.
Conclusion:
The discovery and rectification of the CSRF vulnerability in the Complianz – GDPR/CCPA Cookie Consent plugin serve as a potent reminder of the dynamic nature of cybersecurity threats and the imperative need for ongoing vigilance. For small business owners and web administrators, the incident reinforces the necessity of prioritizing the security of digital assets, particularly in an environment where regulatory compliance is intertwined with web functionality. Embracing proactive security practices and ensuring timely updates are indispensable strategies for fostering a secure, trustworthy digital ecosystem for users and stakeholders alike.
References:
- Wordfence Vulnerability Report on Complianz – GDPR/CCPA Cookie Consent
- Wordfence Vulnerabilities for Complianz – GDPR/CCPA Cookie Consent
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.