A GDPR compliance plugin for WordPress has turned out to be vulnerable, exposing website owners to critical security issues.
GDPR Cookie Consent Plugin Vulnerable
The GDPR Cookie Consent plugin by the Cookie Law Info developer has been offered through WebToffee, a platform that offers various extensions for WordPress and WooCommerce websites. As visible by the plugin’s name, it is meant to provide compliancy with the EU’s GDPR law. The plugin is designed to specifically obtain consent for cookies from website visitors. It also helps create a Privacy and Cookies Policy page and enables compliance banners.
The plugin has more than 700,000 active installations, according to numbers in the WordPress library. This means that hundreds of thousands of websites are at risk.
The vulnerability within the plugin was uncovered by NinTechNet researcher Jerome Bruandet, and it affects GDPR Cookie Consent version 1.8.2 and previous.
The flaw is defined as critical, and is caused by missed capabilities checks. If exploited, it can lead to authenticated, XSS attacks and privilege escalation attacks.
What is causing the vulnerability? A vulnerable AJAX endpoint. According to Wordfence researchers:
Because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security. There are 3 actions that the vulnerability exposes to subscribers: get_policy_pageid, autosave_contant_data, and save_contentdata.
get_policy_pageid returns the post ID of the plugin’s configured cookie policy page, and isn’t much of a risk to subscribers. autosave_contant_data defines the default content that appears in the cookie policy preview page. The stored HTML content is unfiltered and can contain cross-site scripting (XSS) payloads, the researchers explained.
save_contentdata is creates or updates the corresponding post used as the GDPR Cookie Policy page that site visitors view to choose whether to accept cookies from the site or not.
The action takes a page_id parameter along with a content_data parameter which contains the post content. The page_id parameter allows the attacker to update the post content of any post. Additionally, it will set the post status to draft, so attackers looking to use this vulnerability for defacement won’t be able to display the post content to normal end users of the site. It could potentially be used to remove posts and pages from the public-facing portion of the site though.
The good news is that the vulnerability has been fixed in version 1.8.3. Website owners using the plugin should immediately update to the latest version available to avoid exploits.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: