CVE-2018-19207

CRITICAL EXPLOITED IN THE WILD NUCLEI LAB

Van Ons WP GDPR Compliance <1.4.3 - RCE

Title source: llm

Description

The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.

Exploits (4)

nomisec WORKING POC 4 stars

by aeroot · remote

https://github.com/aeroot/WP-GDPR-Compliance-Plugin-Exploit

View Code ZIP pw:eip

nomisec WORKING POC

by cved-sources · poc

https://github.com/cved-sources/cve-2018-19207

View Code ZIP pw:eip

vulncheck_xdb

remote

https://github.com/AnotherSec/CVE-2018-19207

View on vulncheck_xdb

metasploit WORKING POC

by Mikey Veenstra (WordFence), Thomas Labadie · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb

View Code ZIP pw:eip

Nuclei Templates (1)

WP GDPR Compliance < 1.4.3 - Unauthenticated Call Any Action or Update Any Option

CRITICALVERIFIEDby iamnoooob,pdresearch

References (4)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/105921

[Product, Vendor Advisory] https://wordpress.org/plugins/wp-gdpr-compliance/#developers

[Exploit, Third Party Advisory] https://wpvulndb.com/vulnerabilities/9144

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/

Scores

CVSS v3 9.8

EPSS 0.9194

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull cved/base-wordpress

https://github.com/aeroot/WP-GDPR-Compliance-Plugin-Exploit

https://github.com/cved-sources/cve-2018-19207

https://github.com/rapid7/metasploit-framework

View in Library

Details

VulnCheck KEV 2018-11-09

InTheWild.io 2019-10-03

CWE

CWE-425

Status published

Products (1)

van-ons/wp-gdpr-compliance < 1.4.3

Published Nov 12, 2018

Tracked Since Feb 18, 2026