One of the popular plugins, GDPR Cookie Consent, which helps websites comply with the General Data Protection Regulation (GDPR), has patched its plugin against a recent critical flaw. If you haven’t updated the plugin, and if the bug is still there. It can cause threats to your websites. It can allow hackers to modify your content and also they can insert malicious code elements into your website.
The GDPR Cookie Consent plugin lets websites display cookie banners to indicate that they comply with the EU Privacy Regulations. It has over 700,000 active installations that make it the ideal target for hackers.
The versions affected by the unexplained error are 1.8.2 or lower. The developers warned of a critical flaw, earlier last week. And then the GDPR Cookie Consent plugin was removed from the WordPress.org plugins list “pending a full review”. Typically, such removal situations can make users worried or confused. Due to security issues, plugins are often removed.
The new version, 1.8.3, was released on Feb 10 by Cookie Law Info, the developer behind the plugin.
There have been a variety of code changes. But the security-relevant ones include the capacity test applied to the AJAX endpoint used on the administration pages of the plugin. Because administrators can use the endpoint of AJAX. The vulnerability enables subscriber-level users to take several actions that could compromise the security of the site.
There are 3 vulnerabilities:
page_id parameter along with a content_data parameter that contains the post content. The parameter allows the attacker to update the post content of any post. so it will set the post status to be draft so that attackers trying to use this vulnerability for defacement will not be able to display the post content to normal end-users on the site. Remove posts and pages from the public-facing portion of the site.
Since the post is in draft status, the content of the post will be available to post writers, editors, and administrators. Through default, when
wp_insert_post is used for creating and modifying posts the content of the mail is run through
wp_filter_post kses, which is the HTML whitelist of WordPress. It allows only specific HTML tags and attributes and to remove XSS payloads.
Since the content of the post may contain shortcodes, an attacker may, however, use the built-in shortcodes of GDPR Cookie Consent to bypass the KSES filter. Resolve shortcodes when viewing the output in the browser.
Researchers who noticed this vulnerability are advising users to upgrade to the latest version 1.8.3 of the plugin. If you haven’t updated your plugin yet, do so early to prevent any security issues.
I hope this post helped you if it did please share it on social media channels.
You may also like: