CVE-2023-6700: 
WordPress vulnerability analysis and mitigation

The Cookie Information | Free GDPR Consent Solution plugin for WordPress contains a critical vulnerability (CVE-2023-6700) affecting versions up to and including 2.0.22. This security flaw, discovered in January 2024, impacts over 100,000 active WordPress installations. The vulnerability received a CVSS score of 8.8 (HIGH), indicating its severe nature (Wordfence, SecurityOnline).

The vulnerability stems from a missing capability check on the plugin's AJAX request handler, classified as CWE-862 (Missing Authorization). The flaw allows authenticated users with subscriber-level access or higher to perform arbitrary option updates on the site. The technical implementation involves exploiting the wpgdprc_update_integration AJAX action, which lacks proper authorization controls (WPScan).

The vulnerability enables authenticated attackers to modify arbitrary site options, which can be leveraged to create unauthorized administrator accounts. This level of access could lead to complete site compromise, potentially affecting user data and GDPR compliance. The severity is heightened by the plugin's role in managing GDPR consent and cookie policies (SecurityOnline).

The vulnerability has been patched in version 2.0.23 of the Cookie Information plugin. Website administrators are strongly advised to update to this latest version immediately to protect their sites from potential exploitation (WPScan).