CVE-2020-36718 in GDPR CCPA Compliance Support Plugin
Summary
by MITRE • 06/07/2023
The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input "njt_gdpr_allow_permissions" value. This allows unauthenticated attackers to inject a PHP Object.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/09/2026
The CVE-2020-36718 vulnerability affects the GDPR CCPA Compliance Support plugin for WordPress, a widely used tool designed to help website administrators comply with data protection regulations. This particular flaw exists in versions up to and including 2.3, making it a significant concern for WordPress users who have not updated their installations. The vulnerability stems from improper input validation and sanitization within the plugin's handling of user-supplied data, specifically in the njt_gdpr_allow_permissions parameter that is processed through PHP's deserialization mechanism.
The technical exploitation of this vulnerability occurs through PHP Object Injection, a well-documented security flaw that falls under CWE-502. When an attacker can manipulate the njt_gdpr_allow_permissions parameter, they can inject malicious PHP objects that will be unserialized by the vulnerable plugin. This deserialization process occurs without proper sanitization of the input data, allowing attackers to execute arbitrary PHP code on the target server. The vulnerability is particularly dangerous because it does not require authentication, making it accessible to anyone who can submit data to the affected WordPress site through normal user interaction or API endpoints.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the ability to perform various malicious activities on compromised WordPress installations. Attackers can leverage the PHP Object Injection to escalate privileges, upload malicious files, modify database content, or even establish persistent backdoors within the affected systems. The attack surface is broad since WordPress plugins are frequently targeted due to their widespread use and the tendency for developers to implement less rigorous security controls compared to core WordPress components. This vulnerability can lead to complete compromise of the affected website, potentially resulting in data breaches, defacement, or the use of the compromised site for further attacks against other systems.
The mitigation strategy for CVE-2020-36718 requires immediate action from WordPress administrators who have the affected plugin installed. The most effective solution involves updating the GDPR CCPA Compliance Support plugin to a version that addresses the deserialization vulnerability, typically version 2.4 or later. Additionally, system administrators should implement proper input validation and sanitization measures, particularly for parameters that undergo deserialization processes. The ATT&CK framework categorizes this type of vulnerability under T1203 - Exploitation for Client Execution, highlighting the need for defensive measures such as web application firewalls that can detect and block malicious serialization attempts. Organizations should also consider implementing network segmentation and monitoring for unusual patterns in plugin usage that might indicate exploitation attempts, as well as maintaining up-to-date security patches across all WordPress components to prevent similar vulnerabilities from being exploited in other areas of the application stack.