WordPress GDPR plugin inadvertently exposed sites to hackers

Keumars Afifi-Sabet Read more November 13, 2018

Attackers have been exploiting a flaw in a WordPress GDPR-compliance plugin to hijack vulnerable websites and implement remote code execution.

WordPress GDPR plugin inadvertently exposed sites to hackers

The flaw had been present in Wordfence’s GDPR Compliance plugin for at least four months and, ironically, allowed hackers to gain access to a site using the tool. Hackers could then execute any action and update any database value.

There are examples of live sites infected using this attack method, including instances of malicious actors installing several administrator accounts, according to WordPress threat analyst Mikey Veenstra.

“The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites,” Veenstra said. “Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.”

The exploit resulted in malicious actors adding administrator accounts that are normally a variation on ‘t2trollherten’ and ‘t3trollherten’, as well as ‘superuser’, according to security blog Sucuri’s Pedro Peixoto. The exploit has also been associated with uploading a malicious webshell, named wp-cache.php, to allow attackers unauthorised access to sites.

Peixoto added a growing number of WordPress-based sites had their URL settings changed to hxxp://erealitatea[.]net, with a Google query returning more than 5,000 results for the malicious URL.

“The most important action to take is to patch the vulnerability,” Peixoto said. “You should also disable user registrations and ensure that the default user role is not set to Administrator.”

A patch with three security fixes was released last week in the form of version 1.4.3, but the bug existed for at least four months since version 1.4.2 was released in July, and possibly prior to that. Users who have not upgraded to the latest version are still vulnerable.

With the EU’s General Data Protection Regulation demanding tougher data protection standards from all organisations, such a plugin would appeal to a broad range of WordPress users, with the tool boasting more than 100,000 active downloads.

It is marketed as allowing website owners to keep a consent log for supported plugins, and adding checkboxes to supported plugins to gain visitor consent. It also provides users with a means to comply with ‘right to access’ by encrypting audit logs, and ‘right to be forgotten’ by anonymising user data.