- Critical vulnerabilities were discovered in the WordPress GDPR Compliance plugin allowing unauthenticated attackers to gain control over vulnerable websites.
- Vulnerabilities were discovered by security Researchers from Wordfence.
- The vulnerabilities can be exploited to register news users and escalate to administrative privileges.
- The company has already released a new version of the plugin and all user are advised to update it immediately
Security researchers have discovered critical vulnerabilities in the WordPress GDPR Compliance plugin which can be exploited by the unauthenticated attackers to gain control over vulnerable websites.
The vulnerabilities were discovered by Researchers from Wordfence and said that vulnerabilities allow attackers to register new users and escalate privileges.
Researchers said they have already seen many cases of live sites infected through this attack.
Attackers were observed exploiting a flaw in users_can_register” option to allow new users to register and also allow to change their role into administrators, allowing the full access to the website.
“In several of the cases we’ve triaged since the disclosure of this vulnerability, we’ve seen malicious administrator accounts present with the variations of the username t2trollherten.”
“This intrusion vector has also been associated with uploaded webshells named wp-cache.php. While these are common IOCs (Indicators of Compromise), these exploits are of course subject to change as attacks grow in sophistication.” said in the post published by researchers.
The company has already removed the infected plugin and released version 1.4.3 patching all vulnerabilities.
All users are advised to update their WordPress GDPR Compliance plugin to the latest version immediately.
The WordPress GDPR Compliance plugin is used by more hundred thousand WordPress sites .
You may be interested in reading:Cathay Pacific Airline Announces Data Breach Affecting 9.4 million Passengers