Flaw in GDPR-Themed WordPress Plugin Used to Hijack Websites

A security flaw in a GDPR-themed WordPress plugin has been used by hackers to hijack websites, as per reports.

A blog post by Defiant, a company that focuses on WordPress security, discusses this issue pertaining to the popular plugin WP GDPR Compliance in detail.

Tomáš Foltýn, security writer at ESET, had also discussed the issue in a blog post, which says, “Attackers have been exploiting a security weakness in a GDPR compliance plugin for WordPress to seize control of vulnerable websites, according to a blog post by Defiant, which makes Wordfence security plugins for the web publishing platform.”

The plugin had released an update, patching the vulnerabilities and users were advised to upgrade to version 1.4.3. The Defiant Wordfence blog post reads, “Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.”

The plugin, which was used by over 100,000 websites seeking compliance with the European Union’s GDPR (General Data Protection Regulation), was pulled from the WordPress plugin repository after the flaw was detected and the news broke. Then, it was reinstated quickly with an upgraded version being released; this version had the issues patched.

Hackers were exploiting the issue to compromise vulnerable websites for about three weeks before it was fixed. Experts point out that the issue enabled hackers to hijack websites and use them for further malicious activities as well.

The WP GDPR Compliance plugin is used to handle different functions. The blog post by Defiant explains, “In typical use, the plugin handles a few types of actions which can be submitted via WordPress’s admin-ajax.php functionality. These actions include making the sort of data access requests and deletion requests required by GDPR, but also includes functionality for changing the plugin’s settings from within the WordPress admin dashboard.”

But the vulnerability affected some of its functions. The blog post further says, “However, unpatched versions of WP GDPR Compliance (up to and including version 1.4.2) fail to do capability checks when executing its internal action save setting to make such configuration changes. If a malicious user submits arbitrary options and values to this endpoint, the input fields will be stored in the options table of the affected site’s database… In addition to the storage of arbitrary options values, the plugin performs a do action() call using the provided option name and value, which can be used by attackers to trigger arbitrary WordPress actions.”

It’s pointed out that though it’s counted as one vulnerability, the plugin was actually affected by two distinct bugs. The blog post by Defiant explains, “Disclosures of this flaw have been reporting it as two distinct vulnerabilities: first the arbitrary options update and second the arbitrary action calls, but with both potential exploits living in the same block of code and executed with the same payload, we’re treating this as a single privilege escalation vulnerability.”

The researchers came up with a follow-up blog post which explained the attack scenarios.

The attackers could, by abusing the user registration system on a hijacked website, create new administrator accounts and thus control the website. Once they do it, they reverse the change in the settings that helped them get in; they also disable the user registration. Thus, there are no alarms and the attacks come back a few hours later, to log in with their admin access and to install backdoors.

The attackers could also leverage the vulnerability and abuse WP-Cron, WordPress’s task scheduler. They can inject malicious actions into the scheduler and ultimately establish persistent backdoors.

However, it’s not yet clear as to how the hackers plan to manipulate hijacked websites. The most likely scenario would involve the cybercriminals using these websites to host phishing sites and to spew out spam.