From 3de07f1bff3dc27af0894a25f5144ef250ada300 Mon Sep 17 00:00:00 2001
From: Jacob Robles <jrobles@rapid7.com>
Date: Thu, 29 Nov 2018 06:35:37 -0600
Subject: [PATCH] Add Notes metadata and warning

---
 .../auxiliary/admin/http/wp_gdpr_compliance_privesc.rb    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb b/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb
index 8b57c49da6..5ab310f2b5 100644
--- a/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb
+++ b/modules/auxiliary/admin/http/wp_gdpr_compliance_privesc.rb
@@ -13,9 +13,13 @@ class MetasploitModule < Msf::Auxiliary
       'Description'     => %q{
         The Wordpress GDPR Compliance plugin <= v1.4.2 allows unauthenticated users to set
         wordpress administration options by overwriting values within the database.
+
         The vulnerability is present in WordPress’s admin-ajax.php, which allows unauthorized
         users to trigger handlers and make configuration changes because of a failure to do
         capability checks when executing the 'save_setting' internal action.
+
+        WARNING: The module sets Wordpress configuration options without reading their current
+        values and restoring them later.
       },
       'Author'          =>
         [
@@ -29,6 +33,10 @@ class MetasploitModule < Msf::Auxiliary
           ['CVE', '2018-19207'],
           ['WPVDB', '9144']
         ],
+      'Notes'           =>
+        {
+          'SideEffects' =>  [CONFIG_CHANGES]
+        },
       'DisclosureDate'  => 'Nov 08 2018'
     ))