WP GDPR Compliance Plugin Vulnerabilities Exploited in Attacks
NEWS

WP GDPR Compliance Plugin Vulnerabilities Exploited in Attacks

Have you been using the WordPress GDPR plugin called WP GDPR Compliance? Be cautious – the plugin has been hacked.




The WP GDPR Compliance plugin enables website owners to include a checkbox to their websites that allows visitors to grant permission. The plugin also allows users to request copies of the data that the particular WordPress website collects.

According to Wordfence researchers, the plugin has been compromised and was removed from the WordPress plugin repository yesterday. However, the plugin developers released version 1.4.3 of its product which patched the critical vulnerabilities. Currently, the plugin’s status is reinstated and has over 100,000 active installations.

Related:
Our article showcases all required GDPR regulations policy changes that web site owners need to implement to align their services with the new EU laws
How to Make Your Site GDPR Compliant: The Ultimate Guide

WP GDPR Compliance Plugin Vulnerabilities Explained

According to Wordfence, the vulnerabilities allowed unauthenticated attackers to achieve privilege escalation, which could allow them to further infect vulnerable WordPress sites.

In technical terms, WP GDPR Compliance plugin is meant to handle a few types of actions which can be submitted via WordPress’s admin-ajax.php functionality. These actions usually include making data access requests, data deletion requests, but there’s also the functionality to change the plugin’s settings using the WordPress admin dashboard.

It appears that vulnerable versions of the plugin (up to and including version 1.4.2) fail to do capability checks when executing its internal action save_setting to make such configuration changes. If a threat actor submits arbitrary options and values to this endpoint, the input fields will be stored in the options table of the affected site’s database, Wordfence said, adding that:

In addition to the storage of arbitrary options values, the plugin performs a do_action() call using the provided option name and value, which can be used by attackers to trigger arbitrary WordPress actions.

The vulnerability has been reported as two separate flaws: an arbitrary options update bug and an arbitrary action calls bug. Nonetheless, both of the exploits are residing in the same block of code and executed with the same payload, meaning that they can be treated as a single privilege escalation vulnerability.

Related:
A recent report indicates that WordPress site administrators are becoming target to a global phishing scam, read our article to learn more about it
WordPress Site Owners Targeted by Global Phishing Scam

As indicated by reports, the WP GDPR Compliance plugin vulnerability has been leveraged in the wild. In some of the cases, the ability to update arbitrary options values has been used to install new administrator accounts onto the impacted WordPress sites.

In several of the cases we’ve triaged since the disclosure of this vulnerability, we’ve seen malicious administrator accounts present with the variations of the username t2trollherten. This intrusion vector has also been associated with uploaded webshells named wp-cache.php, Wordfence said.

Website owners that have implemented this plugin should immediately update to the latest version (version 1.4.3) that has been patched against the described attacks.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...