Cookie Information | Free GDPR Consent Solution Vulnerability – Authenticated (Subscriber+) Arbitrary Options Update – CVE-2023-6700 | WordPress Plugin Vulnerability Report

Plugin Name: Cookie Information | Free GDPR Consent Solution

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-gdpr-compliance
  • Software Status: Active
  • Software Author: cookieinformation
  • Software Downloads: 3,745,212
  • Active Installs: 100,000
  • Last Updated: February 2, 2024
  • Patched Versions: 2.0.23
  • Affected Versions: <= 2.0.22

Vulnerability Details:

  • Name: Cookie Information | Free GDPR Consent Solution <= 2.0.22
  • Title: Authenticated (Subscriber+) Arbitrary Options Update
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2023-6700
  • CVSS Score: 8.8
  • Publicly Published: January 29, 2024
  • Researcher: Lucio Sá
  • Description: A critical vulnerability has been identified in the Cookie Information | Free GDPR Consent Solution plugin, affecting all versions up to and including 2.0.22. This flaw arises from a missing capability check in the AJAX request handler, allowing authenticated users with subscriber-level permissions or higher to modify arbitrary site options. This could potentially be exploited to create unauthorized administrator accounts, posing a significant security risk.

Summary:

The Cookie Information | Free GDPR Consent Solution plugin, essential for WordPress sites requiring GDPR compliance, has been found to contain a severe security vulnerability in versions up to 2.0.22. This issue enables lower-level users to illicitly alter site settings, underscoring the urgent need for updates to version 2.0.23, where the vulnerability has been rectified.

Detailed Overview:

Discovered by researcher Lucio Sá, this vulnerability presents a considerable threat by allowing those with minimal access to execute changes typically reserved for administrators. The ability to update arbitrary options can lead to severe consequences, such as the unauthorized creation of admin accounts, alteration of site content, or complete site takeover. Given the high CVSS score of 8.8, the potential impact of this vulnerability is substantial, warranting immediate attention from site administrators.

Advice for Users:

To safeguard against potential exploits stemming from this vulnerability, users are advised to promptly update the Cookie Information plugin to the patched version 2.0.23. Additionally, administrators should review their WordPress sites for any signs of unauthorized activity or changes. In instances where an immediate update is not feasible, temporarily disabling the plugin and seeking alternative GDPR compliance solutions may be necessary until the update can be applied. Regularly updating all WordPress components is crucial for maintaining a secure online environment.

Conclusion:

The swift response from the developers of the Cookie Information plugin in releasing a patch highlights the critical nature of timely software updates in the realm of cybersecurity. With over 1,200 attacks blocked by Wordfence targeting this vulnerability in just 24 hours, the urgency for users to update to version 2.0.23 or later cannot be overstated. Staying informed and proactive in applying updates is essential for WordPress site owners, particularly small business operators with limited IT resources, to protect their digital assets and user data from emerging threats.

References:

In today's digital ecosystem, where websites serve as the linchpin of many businesses, the security and integrity of your online presence are paramount. The discovery of a significant vulnerability in the Cookie Information | Free GDPR Consent Solution WordPress plugin, marked as CVE-2023-6700, serves as a stark reminder of the ever-present cyber threats lurking in the digital shadows. This vulnerability not only exposes the fragility of seemingly robust digital tools but also accentuates the critical importance of diligent website maintenance and cybersecurity vigilance.

About the Plugin:

The Cookie Information | Free GDPR Consent Solution plugin is an essential tool for WordPress site owners, facilitating GDPR compliance with over 3.7 million downloads and 100,000 active installations. Developed by cookieinformation, this plugin has become a staple for ensuring user consent and data protection practices are up to par with legal standards.

Vulnerability Details:

CVE-2023-6700 unveils a critical flaw in versions up to 2.0.22 of the plugin, where a missing capability check in the AJAX request handler allows authenticated users, even those with mere subscriber-level access, to alter arbitrary site options. This loophole, discovered by researcher Lucio Sá and publicly disclosed on January 29, 2024, could potentially be exploited to create unauthorized administrator accounts, leading to severe security breaches.

Risks and Potential Impacts:

The exploitation of this vulnerability poses dire risks, including unauthorized access, data breaches, and the possibility of a complete site takeover. For small business owners, such incidents can lead to significant reputational damage, loss of customer trust, and potentially severe legal and financial repercussions.

Remediation and Advice for Users:

To counteract this vulnerability, it is imperative to update the plugin to the patched version 2.0.23 immediately. Site administrators should also conduct thorough reviews of their WordPress settings and user roles for any anomalies or unauthorized changes. In scenarios where an update is not immediately feasible, disabling the plugin temporarily and exploring alternative GDPR compliance solutions is advisable until the security patch can be applied.

Previous Vulnerabilities:

This is not the first time vulnerabilities have been identified in the Cookie Information plugin, with three previous issues reported since November 8, 2018. This history of vulnerabilities underscores the importance of ongoing monitoring and updating as part of a comprehensive cybersecurity strategy.

Conclusion:

The rapid response from the Cookie Information plugin developers to rectify CVE-2023-6700 highlights the vital role of timely software updates in maintaining cybersecurity. In an era where over 1,200 attacks targeting this vulnerability were blocked in just 24 hours, the necessity for WordPress site owners, especially those managing small businesses with limited IT resources, to stay informed and proactive in updating their site components is more critical than ever. Embracing a culture of regular maintenance and staying abreast of the latest security advisories can significantly fortify your digital assets against the evolving landscape of cyber threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

 

Cookie Information | Free GDPR Consent Solution Vulnerability – Authenticated (Subscriber+) Arbitrary Options Update – CVE-2023-6700 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment