Critical security issues caused by improper access controls in a WordPress plugin designed for GDPR cookie compliance have been resolved, but hundreds of thousands of websites may still be vulnerable to attack.
The GDPR Cookie Consent plugin, offered by developer Cookie Law Info through WebToffee, has been designed to help ensure websites are compliant with the EU’s General Data Protection Regulation (GDPR); specifically, obtaining consent for cookies from visitors, the creation of a Privacy & Cookies Policy page and the enablement of banners showing compliance.
The plugin accounts for over 700,000 active installs according to the WordPress library.
On January 28, NinTechNet researcher Jerome Bruandet discovered a vulnerability affecting GDPR Cookie Consent version 1.8.2 and below.
The security flaw, of which a CVE number has been requested, is a critical issue caused by missed capabilities checks, leading to authenticated, stored cross-site scripting (XSS) and potentially privilege escalation.
A vulnerable AJAX endpoint is the root cause of the problem, in which a failure to implement checks meant that three actions were exposed: get_policy_pageid, autosave_contant_data, and save_contentdata.
According to WordPress security organization WordFence, “because the AJAX endpoint was intended to only be accessible to administrators, the vulnerability allows subscriber-level users to perform a number of actions that can compromise the site’s security.”
Malicious payloads could then be executed that load when http:// websitename /cli-policy-preview/ is visited by members of the public.
In addition, save_contentdata is intended for use in creating or updating the post used for the policy page, and so exposure could permit attackers to change the post content in a number of different ways.
“An authenticated user such as a subscriber can use it to put any existing page or post (or the entire website) offline by changing their status from “published” to “draft,”” Bruandet said.
It may also be possible to use this action to delete material or inject content including “formatted text, local or remote images as well as hyperlinks and shortcodes,” the researcher says.
The severe vulnerability was reported to the developer on February 4. The plugin was temporarily removed from the WordPress.org directory pending a fix on February 8. A patch was made available two days later and was pushed to plugins.svn.wordpress.org.
It is recommended that GDPR Cookie Consent plugin users make sure they are using the latest version of the software, 1.8.3, to stay protected. At the time of writing, 64.5 percent of users have updated — with thousands of websites left to go.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0