A WordPress plug-in that's supposed to help with GDPR compliance contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites.
Known as the WP GDPR Compliance plug-in, the software module helps ensure compliance with Europe's General Data Protection Regulation by providing tools through which site visitors can permit use of their personal data or request data stored by the website's database. Its bug was discovered by the WordPress.org Plugin Directory Team on Nov. 6 and patched the very next day in version 1.4.3.
According to a blog post from WordPress security solution provider Wordfence, over 100,000 users of the popular content management system have installed the GDPR plug-in. These users remain at risk unless they have already updated the software.
A Nov. 8 advisory from the WPScan Vulnerability Database says that the bug specifically exists within the plug-in's "wp-admin/admin-ajax.php" functionality. When exploited, the vulnerability "allows unauthenticated users to execute any action and to update any database value."
Wordfence reports that malicious actors have been leveraging this ability to change values values in order to add new admin accounts onto affected sites. Gaining admin privileges then allows these attackers to seize control of websites in order to potentially redirect users or potentially install malware.
In what appears to be a campaign from a specific actor, researchers have observed multiple compromises from malicious admin accounts using some variation of the username t2trollherten and employing a a malicious webshell named wp-cache.php. A Sucuri blog post also cited instances of the username ‘t3trollherten’, as well as variations of ‘superuser’.
The Sucuri notes that some of the zero-day attacks changed affected WordPress-based websites' URL settings to "hxxp://erealitatea[.]net". Querying the erealitatea.net domain, Sucuri researchers found more than 5,000 results, most of which were generated from infected sites.
"The URL change itself is somewhat of a headache, as the site will stop properly loading," reports Sucuri post author Pedro Peixoto. "The erealitatea[.]net site is currently down, so infected sites take very long time to load -- after which they appear corrupted, as none of the static resources are loaded. On the other hand, if the malicious site was up, it could serve any kind of malicious content to infected websites."
"The same issue happens if you try to log into the site’s back-end, meaning the site owner loses all access to it and will be unable to even address the issue," the post continues.
According to Wordfence, the defective admin-ajax.php functionality found within the plug-in is typically designed to enable data access and deletion requests as required by Europe's GDPR privacy standards. But it also can change the plug-in's settings via the WordPress admin dashboard.
"However, unpatched versions of WP GDPR Compliance fail to do capability checks when executing its internal action 'save_setting' to make such configuration changes. If a malicious user submits arbitrary options and values to this endpoint, the input fields will be stored in the options table of the affected site’s database," the Wordfence report states. "In addition to the storage of arbitrary options values, the plug-in performs a 'do_action' call using the provided option name and value, which can be used by attackers to trigger arbitrary WordPress actions."
Sucuri reports that website owners hit by the redirection attack can fix the unauthorized URL setting change by manually editing the site's database table wp_options. A less desirable workaround is to define some constants within the w--config.php file. Sucuri also recommends that website owners disable user registrations, ensure that the default user role is not set to Administrator, and enable web application firewalls.