Many WordPress Users are at critical risk of noncompliance with the “GDPR Cookie Consent WordPress” plugin. Here’s how:
The GDPR Cookie Consent Plugin that was designed to help in compliance, has come out to be counterproductive. The plugin was inherently bugged and never really allowed complete compliance. The critical flaw has rendered 700k sites believe they were complying while they were not.
Exploring the iceberg further shows that the risk it posed was a lot deeper than this. This plugin, if exploited, allowed attackers to modify content and inject malicious JavaScript code into victim websites.
The malicious plugin, GDPR Cookie Consent, aimed to display effective cookie banners to meet the EU’s privacy regulation. It currently has more than 700,000 active installations of the version 1.8.2 and below.
No organisation should put themselves under such supreme risk. Compliance is simpler if done the right way. To learn more about GDPR and Cookies here.
The developer was warned to resolve the issues earlier this week. It was then removed from the WordPress plugin directory. The notification then indicated that the plugin is “pending a full review” at the plugin page.
This forced the developers to post a new version, 1.8.3. Cookie Law Info, the developer posted the new version, on Feb. 10.
The risk is centered in allowing access controls in an endpoint within the WordPress plugin’s AJAX API. The creation of web applications was the attacker’s sweet spot in the plugin. That endpoint is its “_construct” technique. This helps in initializing code for newly created items. The developed actions through the AJAX “_construct” method fails to implement security checks.
Because of this loophole, the subscribers can acquire the administrator-level permissions. This can lead to major vulnerability in the site of any and all of these 700 k users.
According to researchers, this can compromise the site’s security at any time. Compliance does not in any way require a business to put themselves in such a vulnerable position. A subscriber generally only has the right to login, view content and share comments.
Two values of the AJAX code save_contentdata and autosave_content_data can be used for exploitation by an attacker.
The save_contentdata method was created to allow administrators to store the GDPR cookie notices to the database as a page post type. But, this process is unchecked. Any authenticated user or a subscriber can use this existing page, a post, or the whole website offline. They can do this by changing its status from “published” to “draft.”
According to Bruandet, The content can be deleted, injected changed. The attacker may attack the hyperlinks and shortcodes as well.
Wordfence exposed details of the vulnerability. It was initially discovered by Jerome Bruandet, a security researcher with NinTechNet. His findings can be seen in their post.
Are you at risk too? WordPress plugin should be updated right away. The latest version is better, but do you know what is best? Ensuring that your compliance is effective and on point with Seers.
