More than 100,000 websites were affected by a vulnerability in a WordPress plugin that was designed to help site owners comply with the General Data Protection Regulation (GDPR).
Researchers from Wordfence also reported evidence of attacks in which malicious third parties installed their own administrator accounts on various sites. Though the full scope of how cybercriminals might use this access is unknown, it could enable them to install malware and hijack sites to use in phishing schemes.
The plugin, called WP GDPR Compliance, was initially removed from a plugin repository after the WordPress exploit was discovered. A patched version has since been made available.
WordPress Exploit Enables Attackers to Hijack Websites
WP GDPR Compliance was created to address some requirements in the legislation around requests for data access and how data is deleted from WordPress-hosted sites. A bug in the system that registers new users, however, enables threat actors to create their own accounts. This gives them full privileges to control what happens on the site and lets them cover their tracks by disabling the same feature and locking out legitimate site owners.
A second use of the WordPress exploit involves manipulating WP-Cron, the plugin’s task scheduler, which enables attackers to create other entry points through which to take control of a site.
This WordPress exploit affects WP GDPR Compliance versions up to and including 1.4.2. The patched version, 1.4.3, is now available within the WordPress plugin repository.
How Can Site Owners Protect Their Accounts?
Along with theme directories, plugins are a highly popular avenue for attack on WordPress sites. According to IBM X-Force, for example, directory references to “plugins” were found in close to 40 percent of the WordPress URLs where malware or other files had been discovered.
The risks associated with the WP GDPR Compliance plugin reinforce the importance of proactive patching. However, security experts also suggest proactively scanning such sites for potential anomalies, which could include changes in files or, in this case, new admin accounts.
Sources: WordFence, WeLiveSecurity