CVE-2023-6700

HIGH EXPLOITED

Free GDPR Consent Solution <= 2.0.22 - Authenticated Arbitrary Option Update

Title source: llm

Exploitation Summary

CVE-2023-6700 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including RandomRobbieBF.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-6700, which allows authenticated attackers with subscriber-level access to update arbitrary WordPress options, potentially leading to privilege escalation by enabling user registration and setting the default role to administrator.

Description

The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.

Exploits (1)

nomisec WORKING POC 2 stars

by RandomRobbieBF · remote-auth

https://github.com/RandomRobbieBF/CVE-2023-6700

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-6700, which allows authenticated attackers with subscriber-level access to update arbitrary WordPress options, potentially leading to privilege escalation by enabling user registration and setting the default role to administrator.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Cookie Information | Free GDPR Consent Solution plugin for WordPress <= 2.0.22

Auth required

Prerequisites: Valid WordPress credentials with subscriber-level access or higher · Target site running vulnerable plugin version

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3028096/wp-gdpr-compliance/trunk?contextall=1&old=2865555&old_path=%2Fwp-gdpr-compliance%2Ftrunk

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/42a4ef37-c842-4925-b06a-3e6423337567?source=cve

Scores

CVSS v3 8.8

EPSS 0.0147

EPSS Percentile 70.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-01-29

CWE

CWE-862

Status published

Products (2)

cookieinformation/Cookie Information | Free GDPR Consent Solution < 2.0.22

cookieinformation/wp-gdpr-compliance < 2.0.22

Published Feb 05, 2024

Tracked Since Feb 18, 2026