Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Privilege Escalation Flaw In WP GDPR Compliance Plugin Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on November 8, 2018 by Mikey Veenstra   11 Replies

After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities. At the time of this writing, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites. Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.

The Vulnerability

In typical use, the plugin handles a few types of actions which can be submitted via WordPress’s admin-ajax.php functionality. These actions include making the sort of data access requests and deletion requests required by GDPR, but also includes functionality for changing the plugin’s settings from within the WordPress admin dashboard.

However, unpatched versions of WP GDPR Compliance (up to and including version 1.4.2) fail to do capability checks when executing its internal action save_setting to make such configuration changes. If a malicious user submits arbitrary options and values to this endpoint, the input fields will be stored in the options table of the affected site’s database.

In addition to the storage of arbitrary options values, the plugin performs a do_action() call using the provided option name and value, which can be used by attackers to trigger arbitrary WordPress actions.

Disclosures of this flaw have been reporting it as two distinct vulnerabilities: first the arbitrary options update and second the arbitrary action calls, but with both potential exploits living in the same block of code and executed with the same payload, we’re treating this as a single privilege escalation vulnerability.

Exploits In The Wild

We’ve already begun seeing cases of live sites infected through this attack vector. In these cases, the ability to update arbitrary options values is being used to install new administrator accounts onto the impacted sites.

By leveraging this flaw to set the users_can_register option to 1, and changing the default_role of new users to “administrator”, attackers can simply fill out the form at /wp-login.php?action=register and immediately access a privileged account. From this point, they can change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.

In several of the cases we’ve triaged since the disclosure of this vulnerability, we’ve seen malicious administrator accounts present with the variations of the username t2trollherten. This intrusion vector has also been associated with uploaded webshells named wp-cache.php. While these are common IOCs (Indicators of Compromise), these exploits are of course subject to change as attacks grow in sophistication.

Conclusion

Until the patch was released yesterday, more then a hundred thousand WordPress sites using the WP GDPR Compliance plugin were vulnerable to this type of attack. It is of critical importance that any site using this plugin performs the update as soon as possible.

At this time, the Wordfence Threat Intelligence team has released a new firewall rule preventing exploitation of this flaw for all premium users. Users of the free version of Wordfence will receive the new rule following a thirty-day delay, but as always they can protect themselves by updating their site’s plugins.

If you believe your site has been impacted by this vulnerability, please do not hesitate to reach out to our site cleaning team to begin the remediation process. Also, please consider sharing this post with your peers to improve awareness of this issue.

Did you enjoy this post? Share it!


3.66 (47 votes) Your rating:

11 Comments on "Privilege Escalation Flaw In WP GDPR Compliance Plugin Exploited In The Wild"

Laura Tulloch November 8, 2018 at 1:36 pm • Reply

Many thanks for this alert: I've circulated within my online community.

Susan November 8, 2018 at 2:21 pm • Reply

I'm a victim. I had three sites running the plugin and updated them this morning but it was too late for one of the sites. I already had two new Admin user accounts added with the name t2trollherten and t3trollherten.

Lisa November 8, 2018 at 2:49 pm • Reply

I found two new admin accounts with that name on my site this morning. I deleted them and changed all of my passwords. I also updated the plugin for the gdpr cookie consent.

How can I tell if the hacker was able to insert malicious code into my site?

Dan Moen November 8, 2018 at 3:12 pm • Reply

Hi Lisa, the Wordfence scanner detects the malware we're seeing related to this vulnerability. If you haven't run a scan since you deleted the accounts and updated the plugin we recommend you run one now.

Makeworthy Media November 8, 2018 at 2:50 pm • Reply

Thanks for this. I had a client get hit with it this morning on two sites on different hosts. They used the username t2trollherten on both. We caught it pretty soon, but I thought it was odd that registration had been turned on when I knew it hadn't been before.

James November 8, 2018 at 3:50 pm • Reply

Thanks as always for your diligent and quick response to emerging threats. Wordfence saved us in this case by flagging this plugin as having been removed from the WP repository before the author had even started taking action. We promptly removed and replaced the plugin before any exploits hit and managed to avoid the fallout. Win!

Marco November 8, 2018 at 4:21 pm • Reply

Thanks for your report here. Very helpfull. We been hit with three pages. I hope we solved it now with your help.

Thanks

Pascal November 8, 2018 at 7:29 pm • Reply

Thx for keeping us updated so quickly! Just had the first hack with 180 script injections in the files (php & js), a database ijection in all posts and a backdoor in /wp-content/uploads/.../wp-upd.php

The added username was t2trollherten like described.

Glibsol November 9, 2018 at 12:19 am • Reply

Thanks alot for the info

Ausrimas November 9, 2018 at 2:56 am • Reply

Our website also has been hacked by the same newly added admin.

Not sure how this is going to end.

I hope we can take control of our website. Or can we?

AndyB November 9, 2018 at 4:20 am • Reply

Thanks for this post! I've been busting my head all morning trying to figure out how a site belonging to one of our partners has been compromised and the answer was lying in my mail. It's exactly as the post says: the t2trollherten user and the wp-cache.php shell.

Leave a Reply

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.