A few days back, the WP GDPR Compliance plugin had been temporarily shut down from the WordPress.org website, due to some security issues that affected the content management system’s users.
All network and system admins or developers need to take the necessary steps for protection against this vulnerability.
What is the WP GDPR Compliance Plugin?
The WP GDPR Compliance plugin enables owners of WordPress sites to add checkboxes to the site. Visitors can use this checkbox for giving permission to the site owner to view and use their data for their orders, and request data copies from the site. The plugin was created as a solution for website owners to use for compliance with the General Data Protection Regulation, which applies to all member countries in the European Union.
When users send such requests, they make use of the admin-ajax.php, being enabled by the GDPR Compliance plugin. However, the problem here is that hackers can send malicious commands to the admin and it stores these commands and executes them, triggering WordPress to take action on its own.
Updating to Latest Version
Those who run a WordPress site and make use of this WP GDPR Compliance plugin should update to the latest version, which will take care of this vulnerability. The latest version is 1.4.3.
After the WP GDPR Compliance plugin was temporarily removed, this latest update has been released as a patch for the vulnerabilities.
The said vulnerabilities on the WP GDPR Compliance plugin have allowed hackers to access privilege escalation and make attacks on vulnerable sites. This means that any other website that makes use of the WP GDPR compliance plugin must also offer an update to its latest version or just remove it if the update is not possible.
About the Vulnerability
The said WP GDPR Compliance plugin takes care of functionalities such as allowing data access and deletion requests needed for the GDPR, changing the settings in the WordPress dashboard, among other functions. The previous versions of the plugin, up to 1.4.2, were not able to perform capability checks while executing some internal actions.
Due to this vulnerability, a hacker can submit an arbitrary option or values and these settings will be stored in the input options tables of the database in these vulnerable websites using this plugin.
The plugin makes use of the option name and value for performing a “do action” call. This vulnerability can be used by hackers for triggering arbitrary actions in WordPress. Thus, technically there are two vulnerabilities—one is the arbitrary option update and the other is related to the action calls. Both these vulnerabilities exist in the same code block and are executed by one payload; so, it is considered as a single vulnerability.
The Exploitation Process
WordPress security solutions provider Wordfence discovered this vulnerability and explained the way in which the hackers were exploiting the plugin.
The hackers created an administrative account by letting a new user register themselves. They then changed the setting to make them, the hackers, as an administrator. In this way, they were able to install malicious plugins infecting the site. They installed a PHP web shell that allowed them admin abilities on the server of WordPress, allowing them access to the file manager and giving them terminal access as well.
They then uploaded scripted tasks using the program WordPress runs to take care of scheduled tasks. The hack uses WooCommerce, which is supported by the WP GDPR Compliance plugin, for installing another plugin enabling admins to insert any PHP code in the WordPress system.
Biding their Time
Though there is no visible executable payload in this hack, Wordfence says that the hackers might just be biding their time and creating a set of such websites.
According to Wordfence, the hackers could just be collecting infected hosts and planning to sell them wholesale to a third party, or they might be having some objectives, but have not yet launched that aspect of the attack.
The developer of the plugin, Netherlands-based Van Ons, released the latest version (1.4.3) on November 7. This was done after several users raised complaints about their sites being hacked using the plugin.
Website owners still using the unpatched versions, up to 1.4.2, are at risk. If you are using this version of the WP GDPR Compliance plugin, you must update it immediately and scan the site for malicious scripts that the hackers could have installed on your site.