CVE-2023-6700 in Cookie Information Plugininfo

Summary

by MITRE • 02/06/2024

The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-6700 affects the Cookie Information | Free GDPR Consent Solution plugin for WordPress, a widely used tool designed to help websites comply with European data protection regulations. This particular flaw exists in plugin versions up to and including 2.0.22, representing a critical security oversight that undermines the integrity of WordPress installations relying on this consent management solution. The vulnerability stems from insufficient access control mechanisms within the plugin's AJAX request handling functionality, creating a pathway for malicious actors to exploit the system's permission model.

The technical flaw manifests through a missing capability check within the AJAX endpoint that processes option updates. In WordPress security architecture, capability checks serve as fundamental access control mechanisms that ensure only users with appropriate permissions can perform specific actions. This missing validation allows authenticated users with subscriber-level privileges or higher to submit malicious AJAX requests that bypass normal WordPress permission controls. The vulnerability operates at the application layer, specifically targeting the plugin's administrative interface functionality that should be restricted to users with administrator or editor roles.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables attackers to modify arbitrary site options within the WordPress configuration. This capability provides attackers with the means to manipulate core system settings, potentially leading to complete system compromise. The most severe consequence involves the ability to create administrator accounts, which effectively grants attackers full control over the WordPress installation. This vulnerability essentially transforms a low-privilege user account into a full administrative privilege, bypassing standard WordPress security models and creating persistent access vectors for attackers.

From a cybersecurity perspective, this vulnerability aligns with CWE-863, which addresses "Incorrect Authorization" and represents a classic example of insufficient access control. The flaw also maps to ATT&CK technique T1078.004, "Valid Accounts: Cloud Accounts," as it enables attackers to escalate privileges within the WordPress environment. Organizations using this plugin face significant risk exposure, particularly in environments where subscriber accounts may be compromised or where users with lower privileges have access to the system. The vulnerability's exploitability is enhanced by the fact that it requires only authenticated access, which is often easier to achieve through credential theft or social engineering attacks.

The recommended mitigation strategy involves immediate plugin updates to versions that include proper capability checks and access controls. WordPress administrators should also implement additional security measures such as role-based access controls, regular security audits, and monitoring of suspicious administrative activities. Network segmentation and multi-factor authentication can provide additional layers of protection against privilege escalation attempts. Organizations should conduct comprehensive vulnerability assessments to identify other plugins or components that may exhibit similar authorization flaws, ensuring that all WordPress installations maintain proper security hygiene and access control mechanisms.

Responsible

Wordfence

Reservation

12/11/2023

Disclosure

02/06/2024

Moderation

accepted

CPE

ready

EPSS

0.01470

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!