A WordPress plug-in used to help with GDPR compliance contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites.
The popular WP GDPR Compliance plug-in’s software module helps ensure compliance with Europe’s General Data Protection Regulation by providing tools through which site visitors can permit use of their personal data or request data stored by the website’s database.
The bug specifically exists within the plug-in’s “wp-admin/admin-ajax.php” functionality. When exploited, the vulnerability “allows unauthenticated users to execute any action and to update any database value.” This allowed hackers to add new admin accounts onto affected sites then seizing full control of websites in order to potentially redirect users or potentially install malware. The plugin normally handles access and delete requests that are required for GDPR compliance, but the versions before the patch don’t properly sanitize the ‘save_setting’ action. Because of that, an attacker can inject arbitrary commands, which get stored until the plugin reaches its ‘do_action()’ call.
The bug was discovered by the WordPress.org Plugin Directory Team on Nov. 6 and patched the next day in version 1.4.3 and the plug-in’s over 100,000 users were urged to update as soon as possible to avoid being attacked.
Exploited sites had their site URLs changed to “hxxp://erealitatea[.]net”. An estimated number of approximately 7,600 sites were affected by this, shows a curated Google search. The malicious site seems to have been taken down, but when administrators and users attempt to interact with their WordPress sites, most of the sites will completely fail to load or crash when administrators attempt to edit.
Website owners hit by the redirection attack can fix the changed URL setting by manually editing the site’s database table wp_options. It is also recommended that they disable user registrations, ensure that the default user role is not set to Administrator, and enable web application firewalls.