Light Dark
November 20, 2018 By Shane Schick 2 min read

More than 100,000 websites were affected by a vulnerability in a WordPress plugin that was designed to help site owners comply with the General Data Protection Regulation (GDPR).

Researchers from Wordfence also reported evidence of attacks in which malicious third parties installed their own administrator accounts on various sites. Though the full scope of how cybercriminals might use this access is unknown, it could enable them to install malware and hijack sites to use in phishing schemes.

The plugin, called WP GDPR Compliance, was initially removed from a plugin repository after the WordPress exploit was discovered. A patched version has since been made available.

WordPress Exploit Enables Attackers to Hijack Websites

WP GDPR Compliance was created to address some requirements in the legislation around requests for data access and how data is deleted from WordPress-hosted sites. A bug in the system that registers new users, however, enables threat actors to create their own accounts. This gives them full privileges to control what happens on the site and lets them cover their tracks by disabling the same feature and locking out legitimate site owners.

A second use of the WordPress exploit involves manipulating WP-Cron, the plugin’s task scheduler, which enables attackers to create other entry points through which to take control of a site.

This WordPress exploit affects WP GDPR Compliance versions up to and including 1.4.2. The patched version, 1.4.3, is now available within the WordPress plugin repository.

How Can Site Owners Protect Their Accounts?

Along with theme directories, plugins are a highly popular avenue for attack on WordPress sites. According to IBM X-Force, for example, directory references to “plugins” were found in close to 40 percent of the WordPress URLs where malware or other files had been discovered.

The risks associated with the WP GDPR Compliance plugin reinforce the importance of proactive patching. However, security experts also suggest proactively scanning such sites for potential anomalies, which could include changes in files or, in this case, new admin accounts.

Sources: WordFence, WeLiveSecurity

 |  |  |  |  | 
Shane Schick
Writer & Editor

More from

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature