Critical vulnerabilities in WordPress GDPR plugin let hackers seize control of websites

Image of generic lines of code to indicate hackers at work

Attackers have been exploiting a flaw in a GDPR-compliance plugin on WordPress to hijack vulnerable websites and implement remote code execution.

The privilege escalation flaw had been present in the 'GDPR Compliance' plugin developed by security provider Wordfence for at least four months, and allowed hackers to use an exploit to execute any action, and update any database value.

There are examples of live sites infected using this attack method, including instances of malicious actors installing several administrator accounts, according to WordPress threat analyst Mikey Veenstra.

"The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites," Veenstra said.

"Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible."

Malicious WordPress plugin installed backdoor on thousands of websites Researchers ‘break’ Edge with zero-day remote code exploit

The exploit resulted in malicious actors adding administrator accounts that are normally a variation on 't2trollherten' and 't3trollherten', as well as 'superuser', according to security blog Sucuri's Pedro Peixoto. The exploit has also been associated with uploading a malicious webshell, named wp-cache.php, to allow attackers unauthorised access to sites.

Peixoto added a growing number of WordPress-based sites had their URL settings changed to hxxp://erealitatea[.]net, with a Google query returning more than 5,000 results for the malicious URL.

"The most important action to take is to patch the vulnerability," Peixoto said. "You should also disable user registrations and ensure that the default user role is not set to Administrator."

A patch with three security fixes was released last week in the form of version 1.4.3, but the bug existed for at least four months since version 1.4.2 was released in July, and possibly prior to that. Users who have not upgraded to the latest version are still vulnerable.

With the EU's General Data Protection Regulation (GDPR) demanding tougher data protection standards from all organisations, such a plugin would appeal to a broad range of WordPress users, with the tool boasting more than 100,000 active downloads.

It is marketed as allowing website owners to keep a consent log for supported plugins, and adding checkboxes to supported plugins to gain visitor consent. It also provides users with a means to comply with 'right to access' by encrypting audit logs, and 'right to be forgotten' by anonymising user data.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.