Websites with the WordPress GDPR Compliance plugin fitted are being hijacked by hackers. A weakness in the plugin is being abused, allowing attackers to change site settings and record new user accounts with admin rights.
The weakness can be distantly abused by unauthorized users, a lot of whom have automated misuse of the weakness to hijack as many sites as possible prior to the weakness is rectified.
The fault was found by safety scientists at Defiant, who noted that in a number of attacks, after abusing the fault the attackers have rectified the weakness. Defiant’s scientists propose that this method makes sure other hackers are banned from hijacking compromised sites. In some instances, after access to a weak site is gained, a PHP webshell is uploaded to give the attackers complete control of the website. Some attackers have added in backdoors via the WP-Cron schedule. This technique of attack makes sure the persistence of the backdoor.
Compromised websites can be utilized for phishing and other cheats, or the sites might have exploited kits uploaded to silently downloaded malware onto visitors’ appliances. An examination of compromised websites has not exposed any payload at this phase. Defiant scientists propose that the initial goal is to compromise as many sites as possible before the weakness is rectified. Compromised sites might be sold or the attackers could be biding their time before the attack stage is launched.
After WordPress became conscious that the WordPress GDPR Compliance plugin weakness was being actively abused in the wild, the plugin was removed from the official WordPress store and the developer was informed. A new type of the plugin has now been released and the plugin has been revitalized on the official WordPress store.
Any website proprietor that has the WordPress GDPR Compliance plugin fitted should make sure it is updated to version 1.4.3, which was released on November 7, 2018. Site proprietors must also check their sites for any indication of illegal modifications and checks must be carried out to see if any new admin accounts have been produced.