CVE-2024-11069: 
WordPress vulnerability analysis and mitigation

The WordPress GDPR plugin for WordPress contains a critical vulnerability (CVE-2024-11069) discovered on November 17, 2024. The vulnerability affects all versions up to and including 2.0.2, and is caused by a missing capability check on the 'WordPress_GDPR_Data_Delete::check_action' function. This security flaw enables unauthenticated attackers to delete arbitrary users from the system (NVD, Wordfence Advisory).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received varying CVSS v3.1 severity ratings. NIST assigned a Critical severity score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), while Wordfence rated it as Medium severity with a score of 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L). The vulnerability stems from a missing authorization check in the plugin's user deletion functionality (NVD).

The vulnerability allows unauthenticated attackers to delete arbitrary users from WordPress installations running the affected plugin versions. This can result in unauthorized loss of user data and potential disruption of website operations (NVD).

Website administrators running the WordPress GDPR plugin should immediately update to version 2.0.3 or later to address this vulnerability (Product Changelog).