MidnightBSD

Advisories for appsaloon

CVE-2020-20628 MEDIUM

controller/controller-comments.php in WP GDPR plugin through 2.1.1 has unauthenticated stored XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
appsaloon wp-gdpr 2.1.1
CVE-2020-36697

The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@wordfence.com 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

Products Affected

Vendor Product Version
appsaloon wp_gdpr *