The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to update the database. The plugin has more than 100 000+ active installations according to WordPress.org. WPScans.com has been updated to check for this vulnerability, run your free scan today.
Except for the “Try Gutenberg” callout in the just released WordPress version 4.9.8 there are a ton of privacy fixes. The 4.9.8 WordPress release includes a total of 18 Privacy fixes focused on ensuring consistency and flexibility in the new personal data tools that were added in 4.9.6. Some of the privacy fixes include: The type of request being confirmed is now included in the subject line for all privacy confirmation emails. Improved consistency with site name being used for privacy emails in multisite. Pagination for Privacy request admin screens can now be adjusted. Increased the test coverage for several core privacy functions. I think this is a small step but in the right direction for the WordPress community. Privacy[…]