At the end of last week, a plugin called WP GDPR Compliance sent out a security update for a privilege escalation vulnerability that was reported to the WordPress Plugin Directory team on November 6. The plugin was temporarily removed and then reinstated after the issues were patched within 24 hours by its creators, Van Ons, a WordPress development shop based in Amsterdam.
The changelog for the most recent release states that previous versions are vulnerable to SQL injection due to “wrong handling of possible user input in combination with unsafe unserialization.” The fixes are in version 1.4.3, which includes the following:
- Security fix: Removed base64_decode() function
- Security fix: Correctly escape input in $wpdb->prepare() function
- Security fix: Only allow modifying WordPress options used by the plugin and by the user capabilities
Van Ons said they requested the Plugin Directory team do a forced update but they said it was not an option in this case.
WP GDPR Compliance has more than 100,000 active installs. According to Wordfence, the vulnerability is being actively exploited in the wild and many users are reporting new administrator accounts being created on their affected sites. The Wordfence blog has a breakdown of how attackers are taking advantage of these sites:
We’ve already begun seeing cases of live sites infected through this attack vector. In these cases, the ability to update arbitrary options values is being used to install new administrator accounts onto the impacted sites.
By leveraging this flaw to set the users_can_register option to 1, and changing the default_role of new users to “administrator”, attackers can simply fill out the form at /wp-login.php?action=register and immediately access a privileged account. From this point, they can change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.
Wordfence has seen multiple malicious administrator accounts present on sites that have been compromised, with variations of the username t2trollherten. Several WP GDPR Compliance plugin users have commented on the Wordfence post saying they were victims of the exploit, having found new admin users with a backdoor and file injections added.
The plugin has its own website where the vulnerability was announced. Its creators recommend that anyone who didn’t update right away on November 7, 2018, should look for changes in their databases. The most obvious symptom of attack is likely to be new users with administrator privileges. Any unrecognized users should be deleted. They also recommend restoring a complete backup of the site before November 6 and then updating to version 1.4.3 right away.
The WP GDPR Compliance plugin lets users add a GDPR checkbox to Contact Form 7, Gravity Forms, WooCommerce, and WordPress comments. It allows visitors and customers to opt into allowing the site to handle their personal data for a defined purpose. It also allows visitors to request data stored in the website’s database through a Data Request page that allows them to request data to be deleted.
While the name of the plugin includes the word “compliance,” users should note that the plugin details includes a disclaimer:
“ACTIVATING THIS PLUGIN DOES NOT GUARANTEE YOU FULLY COMPLY WITH GDPR. PLEASE CONTACT A GDPR CONSULTANT OR LAW FIRM TO ASSESS NECESSARY MEASURES.”
A relatively new amendment to section 9 of the plugin development guidelines restricts plugin authors from implying that a plugin can create, provide, automate, or guarantee legal compliance. Heather Burns, a member of WordPress Privacy team, worked together with Mika Epstein last April to put this change into effect. This guideline is especially important for users to remember when a plugin author uses GDPR Compliance in the name of the plugin. It isn’t a guarantee of compliance, just a useful tool as part of larger plan to protect users’ privacy.