CVE-2021-42359 Scanner

WP DSGVO Tools (GDPR) is utilized predominantly by web administrators and developers who aim to ensure compliance with the General Data Protection Regulation (GDPR) in their WordPress sites. It allows them to set up privacy notices and manage data requests in alignment with GDPR needs effectively. This plugin is particularly valuable for e-commerce websites and blogs, which require transparent data collection and management practices. It is favored among European businesses and bloggers because of its compliance-oriented features. Likewise, hosting providers recommend this tool for their clients to assist in adhering to European privacy laws. Its role in minimizing GDPR compliance risks makes it a widely adopted plugin.

The vulnerability in this scanner pertains to an unauthenticated arbitrary post deletion issue, allowing attackers to delete posts without proper authorization. This issue arises from the AJAX action 'admin-dismiss-unsubscribe' in the plugin, which does not perform necessary capability or nonce checks. Attackers can exploit this vulnerability by setting specific parameters in their requests, leading to permanent post or page deletions. The situation is exacerbated by the plugin's failure to specify post types during these actions, granting potential misuse. Without these checks, unauthorized deletions of site content are possible.

Technical details highlight that the vulnerable endpoint is the 'admin-ajax.php' file, where an attacker can send requests with the 'action' parameter set to 'admin-dismiss-unsubscribe' and the 'id' parameter corresponding to the targeted post. The lack of proper security checks in these AJAX requests is the primary flaw. This means an attacker could send a well-crafted AJAX request to trigger the deletion. The AJAX request needs to mention the 'action' and 'id' parameters specifically, otherwise, it won't impact the site content. The vulnerability thus depends on the manipulation of AJAX parameters effectively.

An exploited vulnerability can cause major disruptions such as unapproved and irreversible deletion of key site content, leading to loss of information and potential damage to business operations. It could further undermine user confidentiality and affect website SEO rankings adversely. This might also lead to a decline in user trust and interaction due to missing content. Site administrators could lose control over the public-facing elements of their websites. The overall integrity and availability of the site content are compromised as a result.

REFERENCES

• https://www.wordfence.com/blog/2021/11/vulnerability-in-wp-dsgvo-tools-gdpr-plugin-allows-unauthenticated-page-deletion/
• https://nvd.nist.gov/vuln/detail/CVE-2021-42359