On the 6th of November 2018, a popular WordPress plugin known as WP GDPR Compliance plugin, which is created to help website owners with GDPR compliance, was found to contain harmful vulnerabilities for privilege escalation that could allow for arbitrary code execution. Hackers have exploited this vulnerability to attack a number of websites. The vulnerability was found in the version 1.4.2 and prior versions of WP GDPR Compliance Plug-in.
As soon as the WordPress Plug-in Directory Team discovered the bug, it was removed from the WordPress plug-in repository. However, the plug-in was updated the following day to the latest version (version 1.4.3) with patched multiple critical vulnerabilities. Following the update, WP GDPR Compliance plug-in has been restored back to the WordPress repository with over 100,000 downloads made.
The reported vulnerability allows attackers to gain privilege escalation, which enables them to infect the susceptible sites further. Hence any website using the version 1.4.2 or earlier of this plug-in should immediately update it to the latest version, otherwise should deactivate and remove it from the dashboard.
Summary of the Vulnerability
The vulnerability found in this plug-in, which allows for arbitrary code execution, existed because the plug-in failed to check the “save_setting” action properly. Hence, attackers can take advantage of this vulnerability by injecting arbitrary commands. The arbitrary commands get stored until the plug-in gets to its “do_action()” call. This subsequently grants the attacker to gain an administrative access to the website, where the attacker can make direct changes to the website, upload further malicious plug-ins for future attacks, etc.
Exploiting the Plug-in
There are various cases of live websites being infected by attackers exploiting this vulnerability. The ability to update arbitrary options values through exploiting the vulnerability can be used to set new administrator accounts on compromised websites.
Attackers can leverage this vulnerability to set the “users_can_register” option to 1, and change the “default_role” of any user to “administrator.” Hence, attackers can easily fill out the form at “/wp-login.php?action=register” to instantly gain administrator access. All they need next to do is change these options back to normal, install malicious themes or plug-ins that contain either a web shell or other malware that will further infect the compromised website.
Recommendations
If you have the older version (version 1.4.2 or earlier) of the WP GDPR Compliance Plug-in installed on your website, it is recommended that you take the following actions:
- Install plug-ins and updates only from the WordPress plugin repository.
- Immediately apply appropriate WP GDPR Compliance Plug-in updates (version 1.4.3) provided by WordPress to the compromised website. Download 1.4.3 and manually update or go over to Dashboard, Plug-in, and simply click “Update Now”.
- Ensure that you apply the “Principle of Least Privilege” to all services an systems.
- Before applying the latest update or patch, verify that no unauthorized system modification has been carried out on your website.
- Monitor any sign of abnormal activity using intrusion detection systems.
Conclusion
Once you realize that your website has been affected by this vulnerability, don’t hesitate to make use of the tools that can help to clean your database of any malicious injection. Most importantly, protect yourself by updating the version of WP GDPR Compliance Plug-in on your website. Currently, our Malware Expert team has launched a new firewall policy capable of preventing the exploitation. We will provide the best protect to your website.