WordPress GDPR Plugin Hacked

Updated: Apr 13, 2020

A WordPress GDPR compliance plugin – WP GDPR Compliance was found to have a vulnerability that would make it ironically short of GDPR Compliance. Researchers from Wordfence discover the plugin’s vulnerability which allowed hackers to take complete administrator access to WP installation and infect other vulnerable sites through backdoor scripts installation.

The plugin allows website owners to add a checkbox on their websites, which would enable visitors to grant the site owner permission to use their data for a specific purpose, such as handling customer orders, and would allow visitors to request copies of the data that the site has about them. Requests are sent by users using admin-ajax.php, a file that can connect browsers to WP’s server and uses a combination of XML and JavaScript technology to generate a smoother user interface. Overall, this allows WordPress’ content management system to provide a much better auto-saving and revision tracking.

However, the plugin also allows users to tweak it via the ajax file. Attackers could first create administrative accounts through new user registration and then by changing the settings, these new accounts could be used to install backdoor scripts. WordPress’ security firm, Wordfence confirms the plugin’s vulnerability and further stated how attackers can exploit it in two ways: One is by creating administrative accounts and then installing a malicious plugin that would infect the site with malware so they can then install a PHP web shell, granting them remote admin capabilities on the web server, and in turn, providing them with a file manager, and terminal access. Another more complicated way would involve the attackers uploading a series of scheduled scripted tasks via WP-Cron, the scheduling system WordPress uses to handle scheduled tasks. They then hijack WP’s e-commerce plugin, WooCommerce to install 2MB Autocode, a plugin that allows admins to inject their own PHP code into WP posts. The attackers then injected their own PHP backdoor script that downloaded codes from another site. The 2MB Autocode plugin then erased itself from the system.

Although there seems to be no immediate reward for the attack, Wordfence suspects that the attackers are stockpiling infected hosts to be packaged and sold wholesale to another entity with their own intentions, or are just biding time to launch yet another attack.

Developers have already fixed the plugin’s flaw since WP’s security team removed it from their directory, and has now made it publicly available again. Users, however, are encouraged to update their plugins. Any version less than 1.4.3 may be vulnerable.