Websites with the WordPress GDPR Compliance plugin installed are being hijacked by hackers. A vulnerability in the plugin is being exploited, allowing attackers to modify site settings and register new user accounts with admin privileges.
The vulnerability can be remotely exploited by unauthenticated users, many of whom have automated exploitation of the vulnerability to hijack as many sites as possible before the vulnerability is corrected.
The flaw was identified by security researchers at Defiant, who note that in several attacks, after exploiting the flaw the attackers have corrected the vulnerability. Defiant’s researchers suggest that this tactic ensures other hackers are prevented from hijacking compromised sites. In some cases, after access to a vulnerable site is gained, a PHP webshell is uploaded to give the attackers full control of the website. Some attackers have added in backdoors through the WP-Cron schedule. This method of attack ensures persistence of the backdoor.
Compromised websites can be used for phishing and other scams, or the sites could have exploit kits uploaded to silently download malware onto visitors’ devices. An analysis of compromised websites has not uncovered any payload at this stage. Defiant researchers suggest that the initial aim is to compromise as many sites as possible before the vulnerability is corrected. Compromised sites may be sold on or the attackers could be biding their time before the attack phase is launched.
After WordPress became aware that the WordPress GDPR Compliance plugin vulnerability was being actively exploited in the wild, the plugin was removed from the official WordPress store and the developer was notified. A new version of the plugin has now been released and the plugin has been reactivated on the official WordPress store.
Any website owner that has the WordPress GDPR Compliance plugin installed should ensure it is updated to version 1.4.3, which was released on November 7, 2018. Site owners should also check their sites for any sign of unauthorized changes and checks should be performed to see if any new admin accounts have been created.