Critical vulnerabilities in WordPress GDPR plugin let hackers seize control of websites
The flaws, present for at least four months, led attackers to change URL settings and add their own administrator accounts


Attackers have been exploiting a flaw in a GDPR-compliance plugin on WordPress to hijack vulnerable websites and implement remote code execution.
The privilege escalation flaw had been present in the 'GDPR Compliance' plugin developed by security provider Wordfence for at least four months, and allowed hackers to use an exploit to execute any action, and update any database value.
There are examples of live sites infected using this attack method, including instances of malicious actors installing several administrator accounts, according to WordPress threat analyst Mikey Veenstra.
"The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites," Veenstra said.
"Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible."
The exploit resulted in malicious actors adding administrator accounts that are normally a variation on 't2trollherten' and 't3trollherten', as well as 'superuser', according to security blog Sucuri's Pedro Peixoto. The exploit has also been associated with uploading a malicious webshell, named wp-cache.php, to allow attackers unauthorised access to sites.
Peixoto added a growing number of WordPress-based sites had their URL settings changed to hxxp://erealitatea[.]net, with a Google query returning more than 5,000 results for the malicious URL.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"The most important action to take is to patch the vulnerability," Peixoto said. "You should also disable user registrations and ensure that the default user role is not set to Administrator."
A patch with three security fixes was released last week in the form of version 1.4.3, but the bug existed for at least four months since version 1.4.2 was released in July, and possibly prior to that. Users who have not upgraded to the latest version are still vulnerable.
With the EU's General Data Protection Regulation (GDPR) demanding tougher data protection standards from all organisations, such a plugin would appeal to a broad range of WordPress users, with the tool boasting more than 100,000 active downloads.
It is marketed as allowing website owners to keep a consent log for supported plugins, and adding checkboxes to supported plugins to gain visitor consent. It also provides users with a means to comply with 'right to access' by encrypting audit logs, and 'right to be forgotten' by anonymising user data.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro