Home Hacking News Vulnerability In WordPress GDPR Cookie Consent Plugin Risks 700K Websites

Vulnerability In WordPress GDPR Cookie Consent Plugin Risks 700K Websites

by Abeerah Hashim
GiveWP Plugin Vulnerability Risked 100,000+ Websites To RCE Attacks

Another WordPress plugin has now joined the list of plugins exhibiting threatening security flaws. This time, the vulnerability appeared in the GDPR Cookie Consent plugin and risked the integrity of 700,000 websites.

GDPR Cookie Consent Plugin Vulnerability

Reportedly, a researcher from NinTechNet, Jerome Bruandet, has discovered a serious vulnerability in the GDPR Cookie Consent plugin. The bug, considering the 700,000+ active installations of the plugin, could have risked thousands of websites.

As explained in a blog post, Bruandet, found a critical XSS flaw in the plugin that existed due to lack of capability checks in AJAX endpoint. In turn, it exposed the values autosave_contant_data and save_contentdata, enabling an attacker to conduct malicious activities. Specifically, exploiting save_contentdata could have let an adversary to pull published data offline, or entirely delete it. Whereas, exploiting autosave_contant_data could allow injecting malicious JavaScript codes to the site.

Alongside Bruandet, the team Wordfence has also reviewed this vulnerability after they noticed updates in the plugin. The flaw particularly caught their attention after the plugin was closed for review, as stated in their post. They have deemed the bug a critical severity flaw with a CVSS score of 9.0.

Patch Rolled Out

The researcher Bruandet found the vulnerability and reported it to the plugin developers on January 28, 2020. The bug affected plugin versions until 1.8.2.

Consequently, the developers patched the vulnerability with the release of GDPR Cookie Consent v.1.8.3. Since the fix is out, users must ensure they update their plugin to the latest versions to prevent potential exploits.

GDPR Cookie Consent is a dedicated WordPress plugin that facilitates site admins in ensuring site compliance with GDPR.

Earlier this year, WordFence team also discovered vulnerabilities in other WordPress plugins that also threatened thousands of users. These vulnerable plugins include Code Snippets, WP Time Capsule, and InfiniteWP Client.

Let us know your thoughts in the comments.

You may also like