+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: WP GDPR Compliance Plugin Patches Privilege Escalation Vulnerability

WPTavern: WP GDPR Compliance Plugin Patches Privilege Escalation Vulnerability

At the end of last week, a plugin called WP GDPR Compliance sent out a security update for a privilege escalation vulnerability that was reported to the WordPress Plugin Directory team on November 6. The plugin was temporarily removed and then reinstated after the issues were patched within 24 hours by its creators, Van Ons, a WordPress development shop based in Amsterdam.

The changelog for the most recent release states that previous versions are vulnerable to SQL injection due to “wrong handling of possible user input in combination with unsafe unserialization.” The fixes are in version 1.4.3, which includes the following:

  • Security fix: Removed base64_decode() function
  • Security fix: Correctly escape input in $wpdb->prepare() function
  • Security fix: Only allow modifying WordPress options used by the plugin and by the user capabilities

Van Ons said they requested the Plugin Directory team do a forced update but they said it was not an option in this case.

WP GDPR Compliance has more than 100,000 active installs. According to Wordfence, the vulnerability is being actively exploited in the wild and many users are reporting new administrator accounts being created on their affected sites. The Wordfence blog has a breakdown of how attackers are taking advantage of these sites:

We’ve already begun seeing cases of live sites infected through this attack vector. In these cases, the ability to update arbitrary options values is being used to install new administrator accounts onto the impacted sites.

By leveraging this flaw to set the users_can_register option to 1, and changing the default_role of new users to “administrator”, attackers can simply fill out the form at /wp-login.php?action=register and immediately access a privileged account. From this point, they can change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.

Wordfence has seen multiple malicious administrator accounts present on sites that have been compromised, with variations of the username t2trollherten. Several WP GDPR Compliance plugin users have commented on the Wordfence post saying they were victims of the exploit, having found new admin users with a backdoor and file injections added.

The plugin has its own website where the vulnerability was announced. Its creators recommend that anyone who didn’t update right away on November 7, 2018, should look for changes in their databases. The most obvious symptom of attack is likely to be new users with administrator privileges. Any unrecognized users should be deleted. They also recommend restoring a complete backup of the site before November 6 and then updating to version 1.4.3 right away.

The WP GDPR Compliance plugin lets users add a GDPR checkbox to Contact Form 7, Gravity Forms, WooCommerce, and WordPress comments. It allows visitors and customers to opt into allowing the site to handle their personal data for a defined purpose. It also allows visitors to request data stored in the website’s database through a Data Request page that allows them to request data to be deleted.

While the name of the plugin includes the word “compliance,” users should note that the plugin details includes a disclaimer:

“ACTIVATING THIS PLUGIN DOES NOT GUARANTEE YOU FULLY COMPLY WITH GDPR. PLEASE CONTACT A GDPR CONSULTANT OR LAW FIRM TO ASSESS NECESSARY MEASURES.”

A relatively new amendment to section 9 of the plugin development guidelines restricts plugin authors from implying that a plugin can create, provide, automate, or guarantee legal compliance. Heather Burns, a member of WordPress Privacy team, worked together with Mika Epstein last April to put this change into effect. This guideline is especially important for users to remember when a plugin author uses GDPR Compliance in the name of the plugin. It isn’t a guarantee of compliance, just a useful tool as part of larger plan to protect users’ privacy.


At the end of last week, a plugin called WP GDPR Compliance sent out a security update for a privilege escalation vulnerability that was reported to the WordPress Plugin Directory team on November 6. The plugin was temporarily removed and then reinstated after the issues were patched within 24 hours by its creators, Van Ons, a WordPress development shop based in Amsterdam. The changelog for the most recent release states that previous versions are vulnerable to SQL injection due to “wrong handling of possible user input in combination with unsafe unserialization.” The fixes are in version 1.4.3, which includes the…

Source: WordPress

Related Post
WPTavern: Apache NetBeans is Now a Top-Level Project of the Apache Software Foundation

WPTavern: Apache NetBeans is Now a Top-Level Project of the Apache Software Foundation The Apache Software Foundation (ASF), a non-profit corporation of decentralized volunteers from the open source developer community, has officially approved the NetBeans IDE as a Top-Level project. NetBeans joins more than 350 other open source projects and initiatives managed by the foundation […]

Read more
WordPress.org blog: WordPress 5.2 Release Candidate

WordPress.org blog: WordPress 5.2 Release Candidate The first release candidate for WordPress 5.2 is now available! This is an important milestone as we progress toward the WordPress 5.2 release date. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something […]

Read more
BuddyPress: BuddyPress 4.3.0 Security and Maintenance Release

BuddyPress: BuddyPress 4.3.0 Security and Maintenance Release BuddyPress 4.3.0 is now available. This is a security and maintenance release. All BuddyPress installations are strongly encouraged to upgrade as soon as possible. The 4.3.0 release addresses nine security issues: A privilege escalation vulnerability was fixed that could allow users to “favorite” activity items to which they […]

Read more