Flaw in WordPress GDPR plugin exposes multiple sites to attack

Security researchers claim over 100,000 sites potentially affected, with the vulnerability available for attacks for weeks

A privilege escalation flaw in a WordPress GDPR compliance plugin has exposed over 100,000 websites to attack.

According to a post on security firm Tenable, sites running WordPress plugin 'WP GDPR Compliance' versions before 1.4.3 are vulnerable to the attack.

"The attack doesn't require authentication, and Sucuri.net reports that attackers have already exploited a number of sites. Exploited sites had their siteurls changed to "hxxp://erealitatea[.]net," wrote Tenable on a blog posting.

With the vulnerability existing in a piece of software designed to improve data health and general security, the irony is not lost on some experts in the field.

https://twitter.com/briankrebs/status/1062372521427775488?ref\\_src=twsrc%5Etfw

The blog post goes to explain how the attack happens.

"The affected plugin normally handles access and delete requests that are required for GDPR compliance, but versions of this plugin before 1.4.3 don't properly sanitise the 'save_setting' action. Because of that, an attacker can inject arbitrary commands, which get stored until the plugin reaches its 'do_action()' call," it said.

The post adds that site admins can check to see if they've been affected.

"Administrators can manually edit the site's database table wp_options to fix the URL if they've been attacked. The record option_name contains the "siteurl" value. Admins can modify the domain in the option_value field."

Once the URL has been put back to its proper address, sites should load normally. However experts recommend checking for any suspicious changes or uploads, or restoring the site from an uncompromised backup.

"Once that step has been performed, site admins should immediately update the affected plugin to the latest version," adds Tenable.

IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security. For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.