A bug in the WordPress extension WP GDPR Compliance developed by Van Ons allows attackers to take control of the WordPress installation. As the security company Wordfence reports, up to and including version 1.4.2 of the plugin, outsiders can make any settings in the WordPress installation. Specifically, an attacker could then, if necessary, turn on the user registration, then create a new account in the regular way and finally explain this to the admin. In this comfortable position, the attacker may eventually take over the server – for example, by installing a contaminated extension that contains a Webshell. The affected extension “WP GDPR Compliance” should make it easier for WordPress operators to comply with the requirements of the General Data Protection Regulation (DSGVO). The plugin is apparently very popular: The official plugin directory of WordPress currently has over 100,000 active installations and over half a million downloads in total.
According to Wordfence, the vulnerability is already being actively abused by online crooks. In some cases, the company has found that compromised installations have a user named “Tolled”, and attackers have left behind webballs with the unremarkable name “wp-cache.php”. The secured version 1.4.3 is available for download since November 7th. Anyone using the plugin on their WordPress site should make sure it’s up to date, as WordPress installations have always been a popular target by online attackers. Admins should also check to see if the WooCommerce online store plug-in is up-to-date and up-to-date. In versions earlier than 3.4.6, there is also a vulnerability that could allow attackers to take control of the WordPress installation.