A critical flaw in GDPR compliance plugin for WordPress exploited in the wild
12.11.2018 securityaffairs

A critical security vulnerability affects a GDPR compliance plugin for WordPress has been already exploited in the wild to take control of vulnerable websites.
Users warn of cyber attacks exploiting a critical security vulnerability in the WordPress GDPR Compliance plugin for WordPress to take over of websites using it.

The WordPress GDPR Compliance plugin was used by more than 100,000 websites to be compliant with the EU’s General Data Protection Regulation (GDPR). WP GDPR Compliance currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments. Additional plugin support will follow soon.

GDPR Compliance Plugin

Researchers from the Wordfence reported that WordPress GDPR Compliance plugin is affected by vulnerabilities can be exploited by unauthenticated attackers to add new admin accounts.

“The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites. Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.” reads the analysis published by Wordfence.

“We’ve already begun seeing cases of live sites infected through this attack vector. In these cases, the ability to update arbitrary options values is being used to install new administrator accounts onto the impacted sites.”

Researchers from Wordfence have observed two types of attacks. In one attack scenario attackers exploit the vulnerabilities to modify the “users_can_register” option and allow new users to be registered. The attackers also change the role of new users to “administrator,” to gain full privileges on the websites.

The attackers use the admin account to upload a PHP webshell.

“By leveraging this flaw to set the users_can_register option to 1, and changing the default_role of new users to “administrator”, attackers can simply fill out the form at /wp-login.php?action=register and immediately access a privileged account. From this point, they can change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.” continues the analysis.

In a second attack scenario observed by Wordfence experts, attackers used a more complex technique. Attackers installed backdoors by injecting malicious actions into a website’s WP-Cron schedule in order to establish a persistent backdoor.

“In several of the cases we’ve triaged since the disclosure of this vulnerability, we’ve seen malicious administrator accounts present with the variations of the username t2trollherten. This intrusion vector has also been associated with uploaded webshells named wp-cache.php. While these are common IOCs (Indicators of Compromise), these exploits are of course subject to change as attacks grow in sophistication.” states the analysis.

Compromised websites could be used by attackers for various illegal activities, including phishing, and spamming, or to resell the access to them on the cybercrime underground.

The development team behind GDPR Compliance plugin deactivated the plugin on its official store and reinstated after the release of the version 1.4.3 on November 7 that addressed the flaws.