The operators of content Management platform WordPress have issued an advisory urging users to refresh the WP GDPR Compliance plug-in as soon as possible due to a flaw in the software leading to a potential privacy breach.
The plug-in in question, ironically, was developed to assist website owners are compliant with all General Data Protection Regulation, the new European Union data privacy legislation. WP GDPR Compliance was found to a serious vulnerability that allows unauthorized users to gain access to the back end of websites. It is even possible to unauthorized individuals to obtain access and set up administrator user privileges, allowing them to return and to the back end of the website at a later date.
The WP GDPR Compliance plugin was developed in order to automate GDPR tasks such as data access requests and data deletion requests. Under the GDPR legislation, that was introduced on May 25 this year, there is an obligation for companies to give their users the option to view or delete data that pertains to them.
According to an update on the WPScan Vulnerability Database, this vulnerability allows anyone to do whatever they wish to with the site. It states: “The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.”
It went to say that users should update the plug-in to the most recent version, 1.4.3, as soons as they can in order to address the security weakness. You can read the full notice by clicking here. To emphasise the extent of the reach of this flaw the plug-in affected by been downloaded over 100,000 times by WordPress account holders and website managers.
WordPress security plugin developer WordFence commented on the GDPR data privacy breach saying: “More then a hundred thousand WordPress sites using the WP GDPR Compliance plugin were vulnerable to this type of attack. It is of critical importance that any site using this plugin performs the update as soon as possible.”
It went on to say: “Whether an infected site is serving spam emails, hosting a phishing scam, or any other direct or indirect monetization, there’s often a clear goal identified as part of the triage process. However, despite the rapid occurrence of these identified cases, so far our research has only turned up backdoor scripts on sites impacted by this issue. This serves to help prevent other attackers from creating their own administrator accounts, as well as reducing the likelihood that a site’s administrator will notice a problem. It closes the door behind the attacker.” You can read their full coverage of the incident here
Any company using WordPress should immediately investigate to see if their website is using this plug in. If this is the case then the update should be immediately completed in order to ensure avoidance of a €20m or 4% of annual global revenue fine (whichever is higher) possible under the new GDPR legislation.