CVE-2021-4348

HIGH

Ultimate GDPR & CCPA <2.4 - Unauthenticated RCE

Title source: llm

Description

The Ultimate GDPR & CCPA plugin for WordPress is vulnerable to unauthenticated settings import and export via the export_settings & import_settings functions in versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to change plugin settings and conduct attacks such as redirecting visitors to malicious sites.

References (2)

Core 2

Core References

Exploit, Technical Description, Third Party Advisory

https://blog.nintechnet.com/critical-vulnerability-in-wordpress-ultimate-gdpr-ccpa-compliance-toolkit-plugin/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/40e2e8fb-ea36-4602-bead-8daf75d6dfb9?source=cve

Scores

CVSS v3 7.5

EPSS 0.0066

EPSS Percentile 46.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-601 CWE-862

Status published

Products (2)

createit/ultimate_gdpr_\&_ccpa_compliance_toolkit < 2.5

createit-pl/Ultimate GDPR & CCPA Compliance Toolkit for WordPress < 2.5

Published Jun 07, 2023

Tracked Since Feb 18, 2026