CVE-2018-19207

NVD

https://nvd.nist.gov/vuln/detail/CVE-2018-19207

CWE

https://cwe.mitre.org/data/definitions/425.html

The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name	Vendor	Start Version	End Version
Wp-gdpr-compliance	Van-ons	*	1.4.3 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/127.html
https://cwe.mitre.org/data/definitions/143.html
https://cwe.mitre.org/data/definitions/144.html
https://cwe.mitre.org/data/definitions/668.html
https://cwe.mitre.org/data/definitions/87.html

References

http://www.securityfocus.com/bid/105921
https://wordpress.org/plugins/wp-gdpr-compliance/#developers
https://wpvulndb.com/vulnerabilities/9144
https://www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/

Direct Request ('Forced Browsing')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References