A warning has been issued against WordPress users to update a plugin that had introduced a critical security flaw. The General Data Protection (GDPR) compliance plugin allowed users to easily ensure that users accepted cookies when visiting the website and had the option to allow or disallow their information to be supplied to third parties.
The vulnerability introduced would allow attackers to modify the content of the application or inject malicious JavaScript code via cross-site scripting (XSS). The exploit was made possible due to improper access controls within an endpoint used within the WordPress plugin’s AJAX API, which contained a “_construct” method used for initialising code for new objects. The severity of the security flaw meant that rather than the AJAX endpoint being accessible to solely Administrators, this allowed subscriber-level users to perform actions that would pose a significant risk to the security of the website.
Two key methods were responsible for allowing exploitation, namely “save_contentdata” and “autosave_constant_data”, which could be used to inject content, malicious or not, into the website. This meant that an authenticated user, regardless of privileges, could inject malicious JavaScript code into the website, and this would be executed whenever a user visits the policy-preview page.
The vulnerability has since been fixed in version 1.8.3, and WordPress users are strongly encouraged to check their website dashboard for plugins, particularly the General Data Protection (GDPR) compliance plugin and ensure these are the updated to the latest version available.
Weak credentials and outdated features (e.g. plugins) are the two most common methods of website compromise, and we strongly recommend that you only allow the necessary users access to the website administration dashboard, with a strong password to reinforce this access control. Similarly, make sure that your website is regularly updated, we recommend a weekly basis for this.