A GDPR compliance plugin for WordPress has turned out to be vulnerable, exposing website owners to critical security issues.
GDPR Cookie Consent Plugin Vulnerable
The GDPR Cookie Consent plugin by the Cookie Law Info developer has been offered through WebToffee, a platform that offers various extensions for WordPress and WooCommerce websites. As visible by the plugin’s name, it is meant to provide compliancy with the EU’s GDPR law. The plugin is designed to specifically obtain consent for cookies from website visitors. It also helps create a Privacy and Cookies Policy page and enables compliance banners.
The plugin has more than 700,000 active installations, according to numbers in the WordPress library. This means that hundreds of thousands of websites are at risk.
The vulnerability within the plugin was uncovered by NinTechNet researcher Jerome Bruandet, and it affects GDPR Cookie Consent version 1.8.2 and previous.
The flaw is defined as critical, and is caused by missed capabilities checks. If exploited, it can lead to authenticated, XSS attacks and privilege escalation attacks.
What is causing the vulnerability? A vulnerable AJAX endpoint. According to Wordfence researchers:
Because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security. There are 3 actions that the vulnerability exposes to subscribers: get_policy_pageid, autosave_contant_data, and save_contentdata.
The action takes a page_id parameter along with a content_data parameter which contains the post content. The page_id parameter allows the attacker to update the post content of any post. Additionally, it will set the post status to draft, so attackers looking to use this vulnerability for defacement won’t be able to display the post content to normal end users of the site. It could potentially be used to remove posts and pages from the public-facing portion of the site though.
The good news is that the vulnerability has been fixed in version 1.8.3. Website owners using the plugin should immediately update to the latest version available to avoid exploits.