Posted on November 14, 2018 at 6:05 PM
According to new reports, hackers managed to uncover and misuse a crucial flaw in WordPress GDPR plugin. The vulnerability eventually allowed them to hijack numerous websites and execute codes remotely.
The flaw in question revolves around privilege escalation, and it can be found in the GDPR Compliance plugin. The plugin itself, however, was created around four months ago by a security provider called Wordfence.
Several websites got infected through the flaw, and hackers even used the opportunities to install multiple admin accounts. This was confirmed by Mikey Veenstra, a threat analyst that specializes in WordPress. Veenstra stated that the vulnerability allows attackers to receive numerous higher privileges, and infect the vulnerable websites even further. In addition, Veenstra advised any and all sites that are using this plugin to immediately update it to its latest version. Alternatively, they should deactivate it and completely remove it in order to make the website safe again.
The number of hijacked websites is growing
After uncovering the vulnerability, attackers managed to access websites and add additional accounts, as mentioned. These accounts usually include variations on “t2trollherten”, “t3trollherten”, or “superuser”. The explanation was provided by Pedro Peixoto, of a security blog called Sucuri. He added that the exploit is also connected with uploads of a malware-infected webshell called wp-cache.php. This is the method that attackers used to access the sites without having proper authorization.
Peixoto also stated that the number of hijacked websites is growing. Their URL settings are being changed to hxxp://erealitatea[.]net and Google is returning over 5,000 results when this type of malicious URL is searched for. The first step, according to Peixoto, was to create a patch for this vulnerability as soon as possible. Before that was done, all website owners were advised to ensure that user registrations are disabled, as well as that the default role for new users is not Administrator.
Luckily, a patch was created and released relatively soon after the flaw became known. This patch came only last week, and it fixed three flaws. The patch version is 1.4.3, and the plugin users are advised to install it immediately, as the old patch (v1.4.2) is believed to be the one that introduced the flaw four months ago. This patch was released in July, although there is a possibility that the flaw was present even before that.
After the European Union’s GDPR (General Data Protection Regulation) was brought, all organizations had to increase protection standards for their data. This is why plugins like this one received a lot of attention from WordPress users. In the end, the tool ended up having over 100,000 downloads, which is quite an achievement.
Website owners were told that this tool will allow them to keep a consent log for additionally supported plugins. Not only that, but they also got the ability to add checkboxes to supported plugins in order to get consent from visitors. Finally, the plugin also provides users with the ability to comply with the so-called ‘right to access’ simply by encrypting audit logs. They also got to comply with ‘right to be forgotten’ through used data anonymization.