Attackers exploiting the flaws in WordPress plugin

In Opinions

Tomas Foltyn, security writer at ESET explains how cyber criminals are exploiting the security weakness in a GDPR compliance plugin for WordPress to hijack the control of vulnerable websites

Attackers have been exploiting a security weakness in a GDPR compliance plugin for WordPress to seize control of vulnerable websites, according to a blog post by Defiant, which makes Wordfence security plugins for the web publishing platform.

Importantly, the developer behind the plugin, which is called WP GDPR Compliance, has issued a patch fixing the critical flaw. Its users are, therefore, strongly advised to upgrade to version 1.4.3. Alternately, the tool may be disabled or uninstalled.

Used by more than 100,000 websites seeking compliance with the European Union’s General Data Protection Regulation (GDPR), the plugin was pulled from the WordPress plugin repository after news of the flaw broke, but was reinstated quickly with the release of the version that plugs the hole.

Two in one
If left unplugged, the privilege escalation hole enables attackers to take over impacted sites and use them for a range of further villainous actions. This is not merely a hypothetical threat, as attackers were found to have been compromising vulnerable websites for around three weeks.

In fact, the plugin was affected by two distinct bugs. However, “with potential exploits living in the same block of code and executed with the same payload, we’re treating this as a single privilege escalation vulnerability”, reads the blog post. The researchers spotted two kinds of attacks leveraging the security hole: a simpler and a more complex one.

As their follow-up blog post explains, the first – and more common – scenario involves attackers abusing the user registration system on a targeted website in order to create new administrator accounts, which then gives them carte blanche vis-à-vis the site.

As part of the malicious routine, the attackers “close the doors behind themselves” by reversing the changes in settings that let them in and by disabling user registration. This is presumably intended to avoid raising alarms and to lock out competing ne’er-do-wells. A few hours later, the attackers are back – logging in with their admin access and installing backdoors.

In the second – and perhaps more discreet – kind of attack, the malefactors leverage the bug in order to abuse WordPress’s task scheduler called WP-Cron. The long and the short of it is that they inject malicious actions into the task scheduler in order to ultimately establish persistent backdoors.

It’s unclear at this point how the attackers ultimately aim to take advantage of the hijacked websites. At any rate, the potential harmful actions run the gamut and include hosting phishing sites and spewing out spam.

Comments

You may also read!

Security is the key concern in adopting effective intelligent workspace strategies

An IDC survey commissioned by Citrix found security and data leaks to be a key concern in adopting intelligent

Read More...

Ingram Micro establishes three new Cyber Security centres of excellence

Ingram Micro is establishing three Cyber Security centres of excellence (COE) covering the region, each providing specialized training, support,

Read More...

Kaspersky grosses $726 million in 2018

Kaspersky Lab increased its global unaudited IFRS revenue to a total of USD 726 million, representing a 4% YOY

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu