One of the popular plugins, GDPR Cookie Consent, which helps websites comply with the General Data Protection Regulation (GDPR), has patched its plugin against a recent critical flaw. If you haven’t updated the plugin, and if the bug is still there. It can cause threats to your websites. It can allow hackers to modify your content and also they can insert malicious code elements into your website.

WordPress Plugin's Bug Causing Problems to Thousands of Websites

The GDPR Cookie Consent plugin lets websites display cookie banners to indicate that they comply with the EU Privacy Regulations. It has over 700,000 active installations that make it the ideal target for hackers.

The versions affected by the unexplained error are 1.8.2 or lower. The developers warned of a critical flaw, earlier last week. And then the GDPR Cookie Consent plugin was removed from the WordPress.org plugins list “pending a full review”. Typically, such removal situations can make users worried or confused. Due to security issues, plugins are often removed.

The new version, 1.8.3, was released on Feb 10 by Cookie Law Info, the developer behind the plugin.

There have been a variety of code changes. But the security-relevant ones include the capacity test applied to the AJAX endpoint used on the administration pages of the plugin. Because administrators can use the endpoint of AJAX. The vulnerability enables subscriber-level users to take several actions that could compromise the security of the site.

There are 3 vulnerabilities:

  • get_policy_pageid
  • autosave_contant_data
  • save_contentdata.

get_policy_pageid

It does not do much other than return the post ID of the plugin’s configured cookie policy page. There isn’t much risk of having this action available to subscribers.

autosave_contant_data

It intends to define the default content that appears on the cookie policy preview page. The stored HTML content is unfiltered and can contain cross-site scripting (XSS) payloads. The cookie policy preview page is publicly accessible to all users, and these XSS payloads will be executed when visiting http://<wordpress-site>/cli-policy-preview/.

save_contentdata

The design is to create or update the corresponding post used as a GDPR Cookie Policy page by end-users of the site to choose whether to accept cookies from the site. The action takes a page_id parameter along with a content_data parameter that contains the post content. The parameter allows the attacker to update the post content of any post. so it will set the post status to be draft so that attackers trying to use this vulnerability for defacement will not be able to display the post content to normal end-users on the site. Remove posts and pages from the public-facing portion of the site.

Since the post is in draft status, the content of the post will be available to post writers, editors, and administrators. Through default, when wp_insert_post is used for creating and modifying posts the content of the mail is run through wp_filter_post kses, which is the HTML whitelist of WordPress. It allows only specific HTML tags and attributes and to remove XSS payloads.

Since the content of the post may contain shortcodes, an attacker may, however, use the built-in shortcodes of GDPR Cookie Consent to bypass the KSES filter. Resolve shortcodes when viewing the output in the browser.

Researchers who noticed this vulnerability are advising users to upgrade to the latest version 1.8.3 of the plugin. If you haven’t updated your plugin yet, do so early to prevent any security issues.

I hope this post helped you if it did please share it on social media channels.

Subscribe to our YouTube channel for videos related to WordPress plugins and themes. Follow us on Facebook and Twitter for updates related to WordPress.

You may also like:

Best Free WordPress Themes – The Complete List

Top 6 Essential WordPress Plugins for Your Website