The popular WP GDPR Compliance plugin is being targeted by hackers after a serious vulnerability with earlier versions was discovered.
Websites using any version less than 1.4.3 are at risk and should update the plugin immediately.
Details of the WP GDPR Compliance plugin hack
According to Search Engine Journal, the WP GDPR Compliance vulnerability is “as bad as they get. Sites are actively being targeted.”
In fact, a Facebook user revealed that hackers were able to create two administrator level users on his website, effectively allowing the hackers to do anything they want.
The same user also stated that the hacking appeared to be automated and the perpetrators had not yet installed back doors or rogue pages.
In response to the incident, he removed the rogue administrator accounts, removed his old WordPress installation, installed a fresh version, and finally updated the WP GDPR Compliance plugin. The site was soon back online with no ill effects from the security breach.
This incident suggests that the hackers are deploying bots whose role is limited to hacking WordPress sites through the WP GDPR Compliance plugin vulnerability then registering admin accounts. Only later could they go about creating rogue pages.
Even so, the Vulnerability Database says “the plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value.” Therefore, it is highly recommended to update the plugin as soon as possible.
About the WP GDPR Compliance plugin
The WP GDPR Compliance plugin was developed and released to help webmasters comply with European privacy regulations.
With the plugin installed, it is possible to automatically add a GDPR checkbox to Contact Form 7, Gravity Forms, WooCommerce and WordPress Comments. Visitors and customers can then explicitly allow the website owner to handle their personal data for a defined purpose.
The plugin’s developer Van Ons said that even though a new version of WP GDPR Compliance was released the day after vulnerabilities were reported, widespread online media attention alerted hackers to its security flaws.
“We apologise for allowing these vulnerabilities to get into the plugin that was relied on by over 100,000 websites at the time,” said Van Ons. “We will continue work on the plugin as planned but with a higher regard for security in our code.”
Does the WP GDPR plugin breach mark the start of hacking season?
Writing about the WP GDPR Compliance plugin hack, Search Engine Journal author Roger Montti remarked that “its been my anecdotal observation for the past several years that hacking related events tend to increase in the months leading up to Christmas.
“Hacking related bot activity seems to increase beginning in November. I believe that the reason hack bots probing for vulnerabilities increase is because criminals are targeting holiday shoppers.”
He went on to add that hacking bots aren’t just targeting WordPress sites and will happily attack every kind of CMS too. Therefore, if your CMS or server software is out of date, there is a strong possibility that your site could be compromised.