WP GDPR Compliance Plugin Vulnerability

Early in the month of November, a popular WordPress plugin ‘WP GDPR Compliance’ became a popular access point for hackers to gain administrator access to WordPress websites. What was supposed to help businesses comply with privacy laws ended up becoming a major security threat which would compromise the very thing it was designed to protect – customer information. In this blog we’ll discuss the vulnerability in detail and what you can do to protect your websites.

The Plugin

First, we must look at the plugin to realise the devastation this vulnerability had the potential to cause. Over 100,000 websites had this plugin installed and running at the time the vulnerability was being mass exploited. The vulnerability was present in version 1.4.2 and below. Shortly after the exploit was disclosed, the plugin was temporarily removed from the WordPress Plugins Directory and a security patch was released within 24 hours. However, even with this quick response time, we know many users simply disregard updates even if it’s to protect their websites. Even now in December, many websites are still vulnerable because of this. The WordPress Plugin Directory has already decided against force-updating websites using vulnerable versions of this plugin.

The Vulnerability

The vulnerability itself is simply a matter of oversight from the developers. The plugin handles actions which are submitted through admin-ajax.php functionality for data access and data deletion requests which is required by GDPR. However, this functionality also includes changing plugin settings. The vulnerability took advantage of the fact that there were no capability checks when using the save_setting action to make these configurations. This allowed malicious users to submit arbitrary options and values to this endpoint. Most hacks leveraging this flaw set the users_can_register option to 1 and changing default_role to administrator. This meant any user could register a new administrator account from /wp-login.php?action=register and make any changes they want.

The Hack

From Blue Whale Media’s perspective, we saw many hacked websites would have these settings saved so more malicious users could take advantage and make their own accounts. All the pages, posts and forms present on the website would have a JavaScript appended to the end of the source. These JavaScripts were simple re-direct loops, with frivolous attempts at hiding URLs with the fromCharCode() function, eventually ending on a website spammed with adverts.

However, there were also cases where much more malicious actions were taken. These included script injections into files, including JS, plugin and core WordPress php files, database injections and backdoors being uploaded, commonly in /wp-content/uploads/…/wp-upd.php.

Patches

The plugin itself was temporarily removed from the WordPress Plugin Directory and was reinstated following a security update release after 24 hours. WordFence, the popular WordPress security plugin, released a new firewall rule preventing the exploitation of this vulnerability, although free users would have a 30-day delay for this.

Blue Whale Media, as always, recommends keeping all your plugins up to date. If your website is currently running the WP GDPR Compliance plugin, ensure it is up to date and double-check your website, users and WordPress settings in case you have fallen victim to an attack. You can install the WordFence plugin and perform a scan to see any malicious file changes, posts, pages etc.

Blogs