Login Sign Up

CVE-2021-4358

7.2 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress pages using the WP DSGVO Tools (GDPR) plugin, which execute when users visit those pages. It affects WordPress sites running the plugin up to version 3.1.23, potentially compromising user data and site integrity.

💻 Affected Systems

Products:
  • WP DSGVO Tools (GDPR) plugin for WordPress
Versions: Up to and including 3.1.23
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected; no special configuration required.

📦 What is this software?

Wp Dsgvo Tools by Legalweb

View all CVEs affecting Wp Dsgvo Tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or deface the website, leading to data breaches and reputational damage.

🟠

Likely Case

Attackers inject scripts to steal user credentials or session data from visitors, enabling account takeover or further attacks.

🟢

If Mitigated

With proper input sanitization and output escaping, the risk is minimized, preventing script injection and maintaining site security.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploits are actively being used in the wild, making this a high-priority issue for affected sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.24 or later

Vendor Advisory: https://wordpress.org/plugins/wp-dsgvo-tools/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP DSGVO Tools (GDPR) and update to version 3.1.24 or higher. 4. Verify the update completes successfully.

🔧 Temporary Workarounds

Disable the plugin temporarily

all

Deactivate the WP DSGVO Tools plugin to prevent exploitation until patched.

wp plugin deactivate wp-dsgvo-tools

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) to block XSS payloads targeting the plugin.
  • Restrict access to the WordPress admin interface and monitor for unusual activity in logs.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 3.1.23 or lower, it is vulnerable.

Check Version:

wp plugin get wp-dsgvo-tools --field=version

Verify Fix Applied:

After updating, confirm the plugin version is 3.1.24 or higher in the same location and test for script injection attempts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to plugin endpoints with script tags or JavaScript payloads in parameters.

Network Indicators:

  • Inbound traffic containing malicious scripts directed at the plugin's vulnerable parameter.

SIEM Query:

source="wordpress_logs" AND (message:"wp-dsgvo-tools" AND message:"script")

📊 Metadata

CVE ID: CVE-2021-4358
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 7, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4358, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)