CVE-2024-1592 in Complianz Plugininfo

Summary

by MITRE • 03/02/2024

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.6. This is due to missing or incorrect nonce validation on the process_delete function in class-DNSMPD.php. This makes it possible for unauthenticated attackers to delete GDPR data requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The Complianz GDPR/CCPA Cookie Consent plugin for WordPress represents a critical security vulnerability identified as CVE-2024-1592, affecting all versions up to and including 6.5.6. This vulnerability manifests as a cross-site request forgery weakness that fundamentally compromises the integrity of data management processes within WordPress environments. The flaw specifically resides in the process_delete function located within the class-DNSMPD.php file, where proper nonce validation mechanisms are either absent or improperly implemented. This weakness creates a significant attack surface that allows unauthenticated adversaries to exploit administrative privileges through social engineering techniques.

The technical implementation of this vulnerability stems from the absence of proper request validation within the plugin's administrative processing functions. Nonce validation serves as a cryptographic token mechanism that ensures requests originate from legitimate administrative sessions and prevents unauthorized operations. When this validation fails or is completely omitted, attackers can construct malicious requests that appear to come from authenticated administrators. The vulnerability operates through a straightforward attack vector where an attacker crafts a forged request that targets the delete functionality, effectively bypassing the normal authentication and authorization checks that should protect sensitive data operations.

The operational impact of this vulnerability extends beyond simple data deletion capabilities, as it directly threatens the integrity of GDPR compliance mechanisms within WordPress installations. The plugin's primary function involves managing cookie consent and data request processing, making it a critical component for maintaining regulatory compliance. When an attacker successfully exploits this CSRF vulnerability, they can delete GDPR data requests without proper authorization, potentially compromising the privacy rights of website visitors and undermining the organization's compliance posture. This attack scenario becomes particularly dangerous when considering that administrators may inadvertently click on malicious links or be tricked into performing actions through phishing campaigns or compromised third-party sites.

Security practitioners should recognize this vulnerability as a direct violation of several cybersecurity principles, including the principle of least privilege and proper input validation. The weakness aligns with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities, and demonstrates poor implementation of the principle of defense in depth. The attack pattern follows typical CSRF exploitation techniques documented in the MITRE ATT&CK framework under the T1566 tactic for initial access through social engineering. Organizations running affected versions of the Complianz plugin face significant risk of data integrity compromise, regulatory violations, and potential legal consequences related to GDPR compliance failures. The vulnerability's impact is amplified by the fact that it requires minimal technical expertise to exploit, making it particularly dangerous in environments where administrators may not be fully aware of the risks associated with clicking on untrusted links.

Mitigation strategies should focus on immediate version updates to the plugin, as the vulnerability has been addressed in subsequent releases. Organizations must also implement additional security controls including web application firewalls, monitoring for unusual administrative activities, and regular security audits of installed plugins. Network administrators should consider implementing strict access controls and user training programs to reduce the risk of social engineering attacks that could exploit this vulnerability. The incident underscores the critical importance of maintaining up-to-date security patches and conducting regular vulnerability assessments of third-party software components within WordPress environments.

Responsible

Wordfence

Reservation

02/16/2024

Disclosure

03/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00204

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!