Serious vulnerability in GDPR plugin for WordPress

A vulnerability in the WP GDPR Compliance WordPress extension from developer Van Ons allows attackers to take control of the WordPress installation and even the entire server. As the security company Wordfence reports, up to and including version 1.4.2 of the plugin, outsiders can also make any settings in the WordPress installation.

Order now – the c’t special issue on the GDPR Highlights of the special issue: GDPR practice by specialist lawyers; what really matters in 2019; new obligations for companies; IT security requirements; Including webinar, short papers, FAQs, checklists.

c’t know GDPR in the heise shop

In concrete terms, an attacker could first activate user registration, if necessary, then create a new account in the normal way and finally declare it an admin. In this comfortable position, the attacker can eventually take over the server, for example by installing a malicious extension containing a web shell.

The affected extension “WP GDPR Compliance” is intended to make it easier for WordPress operators to meet the requirements of the General Data Protection Regulation (GDPR). The plugin seems to be very popular: The official WordPress plugin directory currently has over 100,000 active installations and over half a million total downloads.

Vulnerability already actively exploited

According to Wordfence, the vulnerability is already being actively exploited by online crooks. In some cases, the company has found that compromised installations have created a user named “t2trollherten”, and attackers have also left behind webshells with the unobtrusive name “wp-cache.php”.

The secure version 1.4.3 has been available for download since November 7th. Anyone using the plugin on their WordPress site should make sure it is up to date, as WordPress installs have always been a popular target for online attackers. Admins should also take this opportunity to check whether the WooCommerce online shop plugin is installed and up to date. in versions older than 3.4.6 there is also a vulnerability that attackers can use to take control of the WordPress installation. (rei)

Source code editor Visual Studio Code gets the Copilot Chat ready to go

Data integration: Apache Hop 2.4 supports DuckDB and scripting in ECMAScript

2022 was supposed to be the year of the Metaverse. Something went wrong?

Rating of the best mobile phones of 2022. 10 nominations in different categories

Hamburg District Court: Uberspace may no longer host Youtube-DL

Test drive Citroen C5 Aircross Hybrid: a look into the future

SAMP / T air defense system: Mamba is waiting for Russians under the Christmas tree

Logos as phishing antidotes in e-mails: Apple goes along with BIMI

Rating of the best laptops in 2022. 10 nominations in different categories

Serious vulnerability in GDPR plugin for WordPress

Vulnerability already actively exploited