Have you been using the WordPress GDPR plugin called WP GDPR Compliance? Be cautious – the plugin has been hacked.
The WP GDPR Compliance plugin enables website owners to include a checkbox to their websites that allows visitors to grant permission. The plugin also allows users to request copies of the data that the particular WordPress website collects.
According to Wordfence researchers, the plugin has been compromised and was removed from the WordPress plugin repository yesterday. However, the plugin developers released version 1.4.3 of its product which patched the critical vulnerabilities. Currently, the plugin’s status is reinstated and has over 100,000 active installations.
WP GDPR Compliance Plugin Vulnerabilities Explained
According to Wordfence, the vulnerabilities allowed unauthenticated attackers to achieve privilege escalation, which could allow them to further infect vulnerable WordPress sites.
In technical terms, WP GDPR Compliance plugin is meant to handle a few types of actions which can be submitted via WordPress’s admin-ajax.php functionality. These actions usually include making data access requests, data deletion requests, but there’s also the functionality to change the plugin’s settings using the WordPress admin dashboard.
It appears that vulnerable versions of the plugin (up to and including version 1.4.2) fail to do capability checks when executing its internal action save_setting to make such configuration changes. If a threat actor submits arbitrary options and values to this endpoint, the input fields will be stored in the options table of the affected site’s database, Wordfence said, adding that:
In addition to the storage of arbitrary options values, the plugin performs a do_action() call using the provided option name and value, which can be used by attackers to trigger arbitrary WordPress actions.
The vulnerability has been reported as two separate flaws: an arbitrary options update bug and an arbitrary action calls bug. Nonetheless, both of the exploits are residing in the same block of code and executed with the same payload, meaning that they can be treated as a single privilege escalation vulnerability.
As indicated by reports, the WP GDPR Compliance plugin vulnerability has been leveraged in the wild. In some of the cases, the ability to update arbitrary options values has been used to install new administrator accounts onto the impacted WordPress sites.
In several of the cases we’ve triaged since the disclosure of this vulnerability, we’ve seen malicious administrator accounts present with the variations of the username t2trollherten. This intrusion vector has also been associated with uploaded webshells named wp-cache.php, Wordfence said.
Website owners that have implemented this plugin should immediately update to the latest version (version 1.4.3) that has been patched against the described attacks.